SYMFONY CONFIGURATION CHEAT SHEETUSE STRONG DATABASE CREDENTIALS

Do not use the root user for your database connection and choose a strong password that is long and secure. Create different users for different applications.Use environment variables for secrets and credentials.

USE BUILT-IN CSRF PROTECTION

Enable the built-in CSRF protection globally. If necessary, disable protection only for specific form controller.

A database, whether as a server or SQLite binary, often contains the most sensitive data of your users and customers. You have to make sure that this data is stored securely. The first steps are secure secrets and no default values as credentials.

Cross-Site Request Forgery (CSRF) is an often forgotten vulnerability in web applications. It allows attackers to submit requests in the name of other users to impersonate their privileges. With an activated CSRF protection, a secret token prevents that attackers can immitate arbitrary requests.

config/packages/framework.yaml

framework:

csrf_protection: true

1

2

USE A STRONG ALGORITHM FOR PASSWORDSAND OTHER SECRETS

It is important that your passwords are secure, even if your database is leaked. Use a strong hashing algorithm and never save the passwords as plaintext.

Internal and external attackers can steal hardcoded credentials and these are hard to manage on production systems.

A strong algorithm, such as bcrypt, makes it very difficult for an attacker to deduce the plaintext password from the password hash.

Instead, manage and store your users in a database. For this you can simply use the FOSUserBundle, which after a simple integration relieves you of many steps of user administration.

config/packages/security.yaml

security:

encoders:

Symfony\Component\Security\Core\User\User:

algorithm: bcrypt

cost: 15

1

2

3

4

5

config/packages/security.yaml

providers:

in_memory:

memory:

users:

admin:

password: supersecurepassword

roles: 'ROLE_ADMIN'

1

2

3

4

5

6

7

config/packages/security.yaml

security:

providers:

fos_userbundle:

id: fos_user.user_provider.username

1

2

3

4

AVOID HARDCODED CREDENTIALS

config/packages/doctrine.yaml

doctrine:

dbal:

url: '%env(DATABASE_URL)%'

# DATABASE_URL=mysql://non_root:secure_pw@127.0.0.1:3306/unique_db

1

2

3

Symfony supports .env files to easily use environment variables during development.

.ENV

USE DATA VALIDATION

FORCE HTTPSAlways ensure that controllers that process or display user data can only be accessed via a secure protocol.

USE GLOBAL ACCESS CONTROLMake sure to set access permissions in the global security configuration for all controllers, following the least-privilege design principle.

Cross-Origin Resource Sharing helps you if you want to load content and scripts from other servers. If you work with CORS, use it wisely and limit it as much as you can.

config/packages/security.yaml

security:

access_control:

- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }

- { path: ^/admin, role: ROLE_ADMIN }

- { path: ^/, role: ROLE_USER }

USE CORS WITH CARE

1

2

3

4

5

config/packages/nelmio_cors.yaml

allow_origin: ['^https?://localhost(:[0-9]+)?$']1

Use the input validation options of Symfony. These allow to check the correctness of user data in forms or database entries and to reject malicious input.

config/packages/security.yaml

framework:

validation: { enable: true }

# or

validation: { enable_annotations: true }

1

2

3

4

config/packages/framework.yaml

secure:

path: /secure

controller: App\Controller\MainController::secure

schemes: [https]

1

2

3

4

Use tools to continuously check your dependencies for known and new vulnerabilities.

AVOID OUTDATED DEPENDENCIES

terminal

$ composer require sensiolabs/security-checker

$ php bin/console security:check

The secret is used to create unique CSRF tokens, but it is also used for other elements where a unique and random string is required. The secret can also be stored in an env variable.

Setting access rights in each indivi-dual controller can cause you to forget a path or controller so that an unauthorized user can have access to sensitive data. Allways whitelist, not blacklist to capture all cases.

Symfony provides NelmioCorsBundle, that defines what sources are allowed. It is recommended to use environment variab-les and always whitelist, not blacklist to capture all cases.

The allow_origin setting specifies which sites are allowed to exchange data with your application while using a relaxed Same Origin Policy. An overly broad rule can leak HTTP responses to malicious sites that can then steal sensitive data.

Find out more at www.ripstech.com onhow to scan your custom Symfony codefor critical security vulnerabilitiesand other misconfigurations.

RANDOM APP SECRET

Use a long, random and unique string as secret. Never use the same secret for two different apps.

MORE SECURITY INSIGHTS @ RIPSTECH.COM

SYMFONY CONFIGURATION CHEAT SHEET

It often helps to use annotations in your code. These can also be used to define validation for properties.

It often helps to use annotations in your code. These can also be used to define validation for properties.