One of the most well-know Symfony configuration options is the secret, which can be configured via the framework.secret option or the APP_SECRET env var in one of the .env files processed by Symfony. Regardless of how you configure it, this value ultimately becomes the kernel.secret parameter in your application.

Despite its name, this option is not needed at all in new Symfony applications. It is only relevant for optional features that you might never use, such as:

  • Login links for password-less logins;
  • Remember Me for automatic logins based on prior sessions;
  • Rate Limiter for controlling the frequency of specific actions;
  • ESI for content includes when using HTTP caching.

A long-term effort in the Symfony project was to allow creating new applications without requiring a secret value. In Symfony 7.2, we finally achieved that goal, so new applications now come with an empty secret by default.

To accomplish this, we did the following changes:

  • PR #56840: Updated the login links feature to allow defining a custom secret value for signing the links. It now relies on kernel.secret by default, but no longer requiring it;
  • PR #56838: Deprecated the $secret argument in Remember Me feature, as this secret has not been used since the feature was refactored to the new authentication system;
  • PR #56831: Removed the use of the secret in the Rate Limiter for hashing IP addresses and usernames, which is done to anonymize data;
  • PR #57462: Modified secret resolution in configuration files to happen lazily, avoiding issues during file processing;
  • PR #56985: If you use secrets to store sensitive information, you must configure a decryption key. In Symfony 7.2, this key will also serve as the kernel.secret when a secret is required but not defined.

With these changes, if you enable a feature that requires a secret but have not configured one, Symfony will throw an exception with a clear message explaining how to resolve the issue.

Finally, to improve DX (developer experience) during local development, Symfony automatically generates a secret value for the local environment when creating a new application. This value is stored in the .env.dev file, which is a safer practice compared to the previous approach. Previously, the secret was generated in the main .env, which is also used in production and could potentially be exploited by malicious actors within the development team.

Published in #Living on the edge