New in Symfony 6.4: Security Improvements
Symfony 6.4 is backed by:
The Symfony Profiler provides detailed information about the security such as the user token details, the security listeners related to the request and the access decision log.
In Symfony 6.4 we're improving it to also display how the security badges are
resolved. In this example, the user input their credentials wrong, so the
PasswordCredentials badge is not resolved correctly:
In this other example, user authentication was successful:
When using the login throttling in your application (via the RateLimiter component) Symfony generates certain log messages. Those logs include information such as the IP address the username. These could be considered as PII (Personally Identifiable Information) and that's why we're hashing them with a cryptographically secure hash function.
You only need to upgrade to Symfony 6.4 or higher and Symfony will start hashing the IP address and the username using the kernel secret of your application.
pattern option of the security firewall defines the regular expression
used to decide if the incoming request matches the firewall. Sometimes, a single
firewall matches multiple paths, which can make the regular expression hard to
maintain. In Symfony 6.4, we're improving this option so you can also pass
an array of regular expressions:
1 2 3 4 5 6 7 8
# config/packages/security.html.twig security: firewalls: no_security: - pattern: "^/(register|documentation)$" + pattern: + - "^/register$" + - "^/documentation$"