Skip to content

Framework Configuration Reference (FrameworkBundle)

Warning: You are browsing the documentation for Symfony 4.x, which is no longer maintained.

Read the updated version of this page for Symfony 7.2 (the current stable version).

The FrameworkBundle defines the main framework configuration, from sessions and translations to forms, validation, routing and more. All these options are configured under the framework key in your application configuration.

1
2
3
4
5
# displays the default config values defined by Symfony
$ php bin/console config:dump-reference framework

# displays the actual config values used by your application
$ php bin/console debug:config framework

Note

When using XML, you must use the http://symfony.com/schema/dic/symfony namespace and the related XSD schema is available at: https://symfony.com/schema/dic/symfony/symfony-1.0.xsd

Configuration

secret

type: string required

This is a string that should be unique to your application and it's commonly used to add more entropy to security related operations. Its value should be a series of characters, numbers and symbols chosen randomly and the recommended length is around 32 characters.

In practice, Symfony uses this value for encrypting the cookies used in the remember me functionality and for creating signed URIs when using ESI (Edge Side Includes). That's why you should treat this value as if it were a sensitive credential and never make it public.

This option becomes the service container parameter named kernel.secret, which you can use whenever the application needs an immutable random string to add more entropy.

As with any other security-related parameter, it is a good practice to change this value from time to time. However, keep in mind that changing this value will invalidate all signed URIs and Remember Me cookies. That's why, after changing this value, you should regenerate the application cache and log out all the application users.

http_method_override

type: boolean default: true

This determines whether the _method request parameter is used as the intended HTTP method on POST requests. If enabled, the Request::enableHttpMethodParameterOverride method gets called automatically. It becomes the service container parameter named kernel.http_method_override.

See also

Changing the Action and HTTP Method of Symfony forms.

Caution

If you're using the HttpCache Reverse Proxy with this option, the kernel will ignore the _method parameter, which could lead to errors.

To fix this, invoke the enableHttpMethodParameterOverride() method before creating the Request object:

1
2
3
4
5
6
7
8
// public/index.php

// ...
$kernel = new CacheKernel($kernel);

Request::enableHttpMethodParameterOverride(); // <-- add this line
$request = Request::createFromGlobals();
// ...

trusted_proxies

The trusted_proxies option was removed in Symfony 3.3. See How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy.

ide

type: string default: null

Symfony turns file paths seen in variable dumps and exception messages into links that open those files right inside your browser. If you prefer to open those files in your favorite IDE or text editor, set this option to any of the following values: phpstorm, sublime, textmate, macvim, emacs, atom and vscode.

Note

The phpstorm option is supported natively by PhpStorm on MacOS, Windows requires PhpStormProtocol and Linux requires phpstorm-url-handler.

If you use another editor, the expected configuration value is a URL template that contains an %f placeholder where the file path is expected and %l placeholder for the line number (percentage signs (%) must be escaped by doubling them to prevent Symfony from interpreting them as container parameters).

1
2
3
# config/packages/framework.yaml
framework:
    ide: 'myide://open?url=file://%%f&line=%%l'

Since every developer uses a different IDE, the recommended way to enable this feature is to configure it on a system level. This can be done by setting the xdebug.file_link_format option in your php.ini configuration file. The format to use is the same as for the framework.ide option, but without the need to escape the percent signs (%) by doubling them:

1
2
3
4
5
// example for PhpStorm
xdebug.file_link_format="phpstorm://open?file=%f&line=%l"

// example for Sublime
xdebug.file_link_format="subl://open?url=file://%f&line=%l"

Note

If both framework.ide and xdebug.file_link_format are defined, Symfony uses the value of the xdebug.file_link_format option.

Tip

Setting the xdebug.file_link_format ini option works even if the Xdebug extension is not enabled.

Tip

When running your app in a container or in a virtual machine, you can tell Symfony to map files from the guest to the host by changing their prefix. This map should be specified at the end of the URL template, using & and > as guest-to-host separators:

1
2
3
4
5
6
7
// /path/to/guest/.../file will be opened
// as /path/to/host/.../file on the host
// and /var/www/app/ as /projects/my_project/ also
'myide://%%f:%%l&/path/to/guest/>/path/to/host/&/var/www/app/>/projects/my_project/&...'

// example for PhpStorm
'phpstorm://open?file=%%f&line=%%l&/var/www/app/>/projects/my_project/'

test

type: boolean

If this configuration setting is present (and not false), then the services related to testing your application (e.g. test.client) are loaded. This setting should be present in your test environment (usually via config/packages/test/framework.yaml).

See also

For more information, see Testing.

default_locale

type: string default: en

The default locale is used if no _locale routing parameter has been set. It is available with the Request::getDefaultLocale method.

See also

You can read more information about the default locale in How to Work with the User's Locale.

disallow_search_engine_index

type: boolean default: true when the debug mode is enabled, false otherwise.

4.3

The disallow_search_engine_index option was introduced in Symfony 4.3.

If true, Symfony adds a X-Robots-Tag: noindex HTTP tag to all responses (unless your own app adds that header, in which case it's not modified). This X-Robots-Tag HTTP header tells search engines to not index your web site. This option is a protection measure in case you accidentally publish your site in debug mode.

trusted_hosts

type: array | string default: []

A lot of different attacks have been discovered relying on inconsistencies in handling the Host header by various software (web servers, reverse proxies, web frameworks, etc.). Basically, every time the framework is generating an absolute URL (when sending an email to reset a password for instance), the host might have been manipulated by an attacker.

See also

You can read "`HTTP Host header attacks`_" for more information about these kinds of attacks.

The Symfony Request::getHost() method might be vulnerable to some of these attacks because it depends on the configuration of your web server. One simple solution to avoid these attacks is to configure a list of hosts that your Symfony application can respond to. That's the purpose of this trusted_hosts option. If the incoming request's hostname doesn't match one of the regular expressions in this list, the application won't respond and the user will receive a 400 response.

1
2
3
# config/packages/framework.yaml
framework:
    trusted_hosts:  ['^example\.com$', '^example\.org$']

Hosts can also be configured to respond to any subdomain, via ^(.+\.)?example\.com$ for instance.

In addition, you can also set the trusted hosts in the front controller using the Request::setTrustedHosts() method:

1
2
// public/index.php
Request::setTrustedHosts(['^(.+\.)?example\.com$', '^(.+\.)?example\.org$']);

The default value for this option is an empty array, meaning that the application can respond to any given host.

See also

Read more about this in the Security Advisory Blog post.

form

enabled

type: boolean default: true or false depending on your installation

Whether to enable the form services or not in the service container. If you don't use forms, setting this to false may increase your application's performance because less services will be loaded into the container.

This option will automatically be set to true when one of the child settings is configured.

Note

This will automatically enable the validation.

See also

For more details, see Forms.

field_name

type: string default: _token

This is the field name that you should give to the CSRF token field of your forms.

csrf_protection

See also

For more information about CSRF protection, see How to Implement CSRF Protection.

enabled

type: boolean default: true or false depending on your installation

This option can be used to disable CSRF protection on all forms. But you can also disable CSRF protection on individual forms.

1
2
3
4
# config/packages/framework.yaml
framework:
    # ...
    csrf_protection: true

If you're using forms, but want to avoid starting your session (e.g. using forms in an API-only website), csrf_protection will need to be set to false.

error_controller

type: string default: error_controller

4.4

The error_controller option was introduced in Symfony 4.4.

This is the controller that is called when an exception is thrown anywhere in your application. The default controller (ErrorController) renders specific templates under different error conditions (see How to Customize Error Pages).

esi

See also

You can read more about Edge Side Includes (ESI) in Working with Edge Side Includes.

enabled

type: boolean default: false

Whether to enable the edge side includes support in the framework.

You can also set esi to true to enable it:

1
2
3
# config/packages/framework.yaml
framework:
    esi: true

fragments

See also

Learn more about fragments in the HTTP Cache article.

enabled

type: boolean default: false

Whether to enable the fragment listener or not. The fragment listener is used to render ESI fragments independently of the rest of the page.

This setting is automatically set to true when one of the child settings is configured.

hinclude_default_template

type: string default: null

4.3

The framework.fragments.hinclude_default_template option was introduced in Symfony 4.3. In previous Symfony versions it was defined under framework.templating.hinclude_default_template.

Sets the content shown during the loading of the fragment or when JavaScript is disabled. This can be either a template name or the content itself.

See also

See How to Embed Asynchronous Content with hinclude.js for more information about hinclude.

path

type: string default: '/_fragment'

The path prefix for fragments. The fragment listener will only be executed when the request starts with this path.

http_client

When the HttpClient component is installed, an HTTP client is available as a service named http_client or using the autowiring alias HttpClientInterface.

This service can be configured using framework.http_client.default_options:

1
2
3
4
5
6
7
8
# config/packages/framework.yaml
framework:
    # ...
    http_client:
        max_host_connections: 10
        default_options:
            headers: { 'X-Powered-By': 'ACME App' }
            max_redirects: 7

Multiple pre-configured HTTP client services can be defined, each with its service name defined as a key under scoped_clients. Scoped clients inherit the default options defined for the http_client service. You can override these options and can define a few others:

1
2
3
4
5
6
7
8
# config/packages/framework.yaml
framework:
    # ...
    http_client:
        scoped_clients:
            my_api.client:
                auth_bearer: secret_bearer_token
                # ...

Options defined for scoped clients apply only to URLs that match either their base_uri or the scope option when it is defined. Non-matching URLs always use default options.

Each scoped client also defines a corresponding named autowiring alias. If you use for example Symfony\Contracts\HttpClient\HttpClientInterface $myApiClient as the type and name of an argument, autowiring will inject the my_api.client service into your autowired classes.

auth_basic

type: string

The username and password used to create the Authorization HTTP header used in HTTP Basic authentication. The value of this option must follow the format username:password.

auth_bearer

type: string

The token used to create the Authorization HTTP header used in HTTP Bearer authentication (also called token authentication).

auth_ntlm

type: string

4.4

The auth_ntlm option was introduced in Symfony 4.4.

The username and password used to create the Authorization HTTP header used in the Microsoft NTLM authentication protocol. The value of this option must follow the format username:password. This authentication mechanism requires using the cURL-based transport.

base_uri

type: string

URI that is merged into relative URIs, following the rules explained in the RFC 3986 standard. This is useful when all the requests you make share a common prefix (e.g. https://api.github.com/) so you can avoid adding it to every request.

Here are some common examples of how base_uri merging works in practice:

bindto

type: string

A network interface name, IP address, a host name or a UNIX socket to use as the outgoing network interface.

buffer

type: boolean | Closure

Buffering the response means that you can access its content multiple times without performing the request again. Buffering is enabled by default when the content type of the response is text/*, application/json or application/xml.

If this option is a boolean value, the response is buffered when the value is true. If this option is a closure, the response is buffered when the returned value is true (the closure receives as argument an array with the response headers).

4.4

The support of Closure in the buffer option was introduced in Symfony 4.4.

cafile

type: string

The path of the certificate authority file that contains one or more certificates used to verify the other servers' certificates.

capath

type: string

The path to a directory that contains one or more certificate authority files.

ciphers

type: string

A list of the names of the ciphers allowed for the SSL/TLS connections. They can be separated by colons, commas or spaces (e.g. 'RC4-SHA:TLS13-AES-128-GCM-SHA256').

headers

type: array

An associative array of the HTTP headers added before making the request. This value must use the format ['header-name' => 'value0, value1, ...'].

http_version

type: string | null default: null

The HTTP version to use, typically '1.1' or '2.0'. Leave it to null to let Symfony select the best version automatically.

local_cert

type: string

The path to a file that contains the PEM formatted certificate used by the HTTP client. This is often combined with the local_pk and passphrase options.

local_pk

type: string

The path of a file that contains the PEM formatted private key of the certificate defined in the local_cert option.

max_duration

type: float default: 0

The maximum execution time, in seconds, that the request and the response are allowed to take. A value lower than or equal to 0 means it is unlimited.

4.4

The max_duration option was introduced in Symfony 4.4.

max_host_connections

type: integer default: 6

Defines the maximum amount of simultaneously open connections to a single host (considering a "host" the same as a "host name + port number" pair). This limit also applies for proxy connections, where the proxy is considered to be the host for which this limit is applied.

max_redirects

type: integer default: 20

The maximum number of redirects to follow. Use 0 to not follow any redirection.

no_proxy

type: string | null default: null

A comma separated list of hosts that do not require a proxy to be reached, even if one is configured. Use the '*' wildcard to match all hosts and an empty string to match none (disables the proxy).

passphrase

type: string

The passphrase used to encrypt the certificate stored in the file defined in the local_cert option.

peer_fingerprint

type: array

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match any of the public keys provided in this option, the connection is aborted before sending or receiving any data.

The value of this option is an associative array of algorithm => hash (e.g ['pin-sha256' => '...']).

proxy

type: string | null

The HTTP proxy to use to make the requests. Leave it to null to detect the proxy automatically based on your system configuration.

query

type: array

An associative array of the query string values added to the URL before making the request. This value must use the format ['parameter-name' => parameter-value, ...].

resolve

type: array

A list of hostnames and their IP addresses to pre-populate the DNS cache used by the HTTP client in order to avoid a DNS lookup for those hosts. This option is useful to improve security when IPs are checked before the URL is passed to the client and to make your tests easier.

The value of this option is an associative array of domain => IP address (e.g ['symfony.com' => '46.137.106.254', ...]).

scope

type: string

For scoped clients only: the regular expression that the URL must match before applying all other non-default options. By default, the scope is derived from base_uri.

timeout

type: float default: depends on your PHP config

Time, in seconds, to wait for a response. If the response takes longer, a TransportException is thrown. Its default value is the same as the value of PHP's default_socket_timeout config option.

verify_host

type: boolean default: true

If true, the certificate sent by other servers is verified to ensure that their common name matches the host included in the URL. This is usually combined with verify_peer to also verify the certificate authenticity.

verify_peer

type: boolean default: true

If true, the certificate sent by other servers when negotiating a TLS or SSL connection is verified for authenticity. Authenticating the certificate is not enough to be sure about the server, so you should combine this with the verify_host option.

profiler

enabled

type: boolean default: false

The profiler can be enabled by setting this option to true. When you install it using Symfony Flex, the profiler is enabled in the dev and test environments.

Note

The profiler works independently from the Web Developer Toolbar, see the WebProfilerBundle configuration on how to disable/enable the toolbar.

collect

type: boolean default: true

This option configures the way the profiler behaves when it is enabled. If set to true, the profiler collects data for all requests. If you want to only collect information on-demand, you can set the collect flag to false and activate the data collectors manually:

1
$profiler->enable();

only_exceptions

type: boolean default: false

When this is set to true, the profiler will only be enabled when an exception is thrown during the handling of the request.

only_master_requests

type: boolean default: false

When this is set to true, the profiler will only be enabled on the master requests (and not on the subrequests).

dsn

type: string default: 'file:%kernel.cache_dir%/profiler'

The DSN where to store the profiling information.

request

formats

type: array default: []

This setting is used to associate additional request formats (e.g. html) to one or more mime types (e.g. text/html), which will allow you to use the format & mime types to call Request::getFormat($mimeType) or Request::getMimeType($format).

In practice, this is important because Symfony uses it to automatically set the Content-Type header on the Response (if you don't explicitly set one). If you pass an array of mime types, the first will be used for the header.

To configure a jsonp format:

1
2
3
4
5
# config/packages/framework.yaml
framework:
    request:
        formats:
            jsonp: 'application/javascript'

router

resource

type: string required

The path the main routing resource (e.g. a YAML file) that contains the routes and imports the router should load.

type

type: string

The type of the resource to hint the loaders about the format. This isn't needed when you use the default routers with the expected file extensions (.xml, .yaml, .php).

http_port

type: integer default: 80

The port for normal http requests (this is used when matching the scheme).

https_port

type: integer default: 443

The port for https requests (this is used when matching the scheme).

strict_requirements

type: mixed default: true

Determines the routing generator behavior. When generating a route that has specific parameter requirements, the generator can behave differently in case the used parameters do not meet these requirements.

The value can be one of:

true
Throw an exception when the requirements are not met;
false
Disable exceptions when the requirements are not met and return '' instead;
null
Disable checking the requirements (thus, match the route even when the requirements don't match).

true is recommended in the development environment, while false or null might be preferred in production.

utf8

type: boolean default: false

When this option is set to true, the regular expressions used in the requirements of route parameters will be run using the utf-8 modifier. This will for example match any UTF-8 character when using ., instead of matching only a single byte.

If the charset of your application is UTF-8 (as defined in the getCharset() method of your kernel) it's recommended setting it to true. This will make non-UTF8 URLs to generate 404 errors.

session

storage_id

type: string default: 'session.storage.native'

The service ID used for storing the session. The session.storage service alias will be set to this service. The class has to implement SessionStorageInterface. To see a list of all available storages, run:

1
$ php bin/console debug:container session.storage.

handler_id

type: string default: 'session.handler.native_file'

The service id used for session storage. The default value 'session.handler.native_file' will let Symfony manage the sessions itself using files to store the session metadata. Set it to null to use the native PHP session mechanism. You can also store sessions in a database.

name

type: string default: null

This specifies the name of the session cookie. By default, it will use the cookie name which is defined in the php.ini with the session.name directive.

type: integer default: null

This determines the lifetime of the session - in seconds. The default value - null - means that the session.cookie_lifetime value from php.ini will be used. Setting this value to 0 means the cookie is valid for the length of the browser session.

type: string default: /

This determines the path to set in the session cookie. By default, it will use /.

cache_limiter

type: string or int default: ''

If set to 0, Symfony won't set any particular header related to the cache and it will rely on the cache control method configured in the session.cache-limiter PHP.ini option.

Unlike the other session options, cache_limiter is set as a regular container parameter:

1
2
3
4
# config/services.yaml
parameters:
    session.storage.options:
        cache_limiter: 0

type: string default: ''

This determines the domain to set in the session cookie. By default, it's blank, meaning the host name of the server which generated the cookie according to the cookie specification.

type: string or null default: null

It controls the way cookies are sent when the HTTP request did not originate from the same domain that is associated with the cookies. Setting this option is recommended to mitigate CSRF security attacks.

By default, browsers send all cookies related to the domain of the HTTP request. This may be a problem for example when you visit a forum and some malicious comment includes a link like https://some-bank.com/?send_money_to=attacker&amount=1000. If you were previously logged into your bank website, the browser will send all those cookies when making that HTTP request.

The possible values for this option are:

  • null, use it to disable this protection. Same behavior as in older Symfony versions.
  • 'none' (or the Symfony\Component\HttpFoundation\Cookie::SAMESITE_NONE constant), use it to allow sending of cookies when the HTTP request originated from a different domain (previously this was the default behavior of null, but in newer browsers 'lax' would be applied when the header has not been set)
  • 'strict' (or the Cookie::SAMESITE_STRICT constant), use it to never send any cookie when the HTTP request did not originate from the same domain.
  • 'lax' (or the Cookie::SAMESITE_LAX constant), use it to allow sending cookies when the request originated from a different domain, but only when the user consciously made the request (by clicking a link or submitting a form with the GET method).

Note

This option is available starting from PHP 7.3, but Symfony has a polyfill so you can use it with any older PHP version as well.

type: boolean or string default: false

This determines whether cookies should only be sent over secure connections. In addition to true and false, there's a special 'auto' value that means true for HTTPS requests and false for HTTP requests.

type: boolean default: true

This determines whether cookies should only be accessible through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks.

gc_divisor

type: integer default: 100

See gc_probability.

gc_probability

type: integer default: 1

This defines the probability that the garbage collector (GC) process is started on every session initialization. The probability is calculated by using gc_probability / gc_divisor, e.g. 1/100 means there is a 1% chance that the GC process will start on each request.

gc_maxlifetime

type: integer default: 1440

This determines the number of seconds after which data will be seen as "garbage" and potentially cleaned up. Garbage collection may occur during session start and depends on gc_divisor and gc_probability.

sid_length

type: integer default: 32

This determines the length of session ID string, which can be an integer between 22 and 256 (both inclusive), being 32 the recommended value. Longer session IDs are harder to guess.

This option is related to the session.sid_length PHP option.

sid_bits_per_character

type: integer default: 4

This determines the number of bits in the encoded session ID character. The possible values are 4 (0-9, a-f), 5 (0-9, a-v), and 6 (0-9, a-z, A-Z, "-", ","). The more bits results in stronger session ID. 5 is recommended value for most environments.

This option is related to the session.sid_bits_per_character PHP option.

save_path

type: string default: %kernel.cache_dir%/sessions

This determines the argument to be passed to the save handler. If you choose the default file handler, this is the path where the session files are created.

You can also set this value to the save_path of your php.ini by setting the value to null:

1
2
3
4
# config/packages/framework.yaml
framework:
    session:
        save_path: ~

metadata_update_threshold

type: integer default: 0

This is how many seconds to wait between updating/writing the session metadata. This can be useful if, for some reason, you want to limit the frequency at which the session persists, instead of doing that on every request.

enabled

type: boolean default: true

Whether to enable the session support in the framework.

1
2
3
4
# config/packages/framework.yaml
framework:
    session:
        enabled: true

use_cookies

type: boolean default: null

This specifies if the session ID is stored on the client side using cookies or not. By default, it will use the value defined in the php.ini with the session.use_cookies directive.

assets

base_path

type: string

This option allows you to define a base path to be used for assets:

1
2
3
4
5
# config/packages/framework.yaml
framework:
    # ...
    assets:
        base_path: '/images'

base_urls

type: array

This option allows you to define base URLs to be used for assets. If multiple base URLs are provided, Symfony will select one from the collection each time it generates an asset's path:

1
2
3
4
5
6
# config/packages/framework.yaml
framework:
    # ...
    assets:
        base_urls:
            - 'http://cdn.example.com/'

packages

You can group assets into packages, to specify different base URLs for them:

1
2
3
4
5
6
7
# config/packages/framework.yaml
framework:
    # ...
    assets:
        packages:
            avatars:
                base_urls: 'http://static_cdn.example.com/avatars'

Now you can use the avatars package in your templates:

1
<img src="{{ asset('...', 'avatars') }}">

Each package can configure the following options:

version

type: string

This option is used to bust the cache on assets by globally adding a query parameter to all rendered asset paths (e.g. /images/logo.png?v2). This applies only to assets rendered via the Twig asset() function (or PHP equivalent).

For example, suppose you have the following:

1
<img src="{{ asset('images/logo.png') }}" alt="Symfony!"/>

By default, this will render a path to your image such as /images/logo.png. Now, activate the version option:

1
2
3
4
5
# config/packages/framework.yaml
framework:
    # ...
    assets:
        version: 'v2'

Now, the same asset will be rendered as /images/logo.png?v2 If you use this feature, you must manually increment the version value before each deployment so that the query parameters change.

You can also control how the query string works via the version_format option.

Note

This parameter cannot be set at the same time as version_strategy or json_manifest_path.

Tip

As with all settings, you can use a parameter as value for the version. This makes it easier to increment the cache on each deployment.

version_format

type: string default: %%s?%%s

This specifies a sprintf pattern that will be used with the version option to construct an asset's path. By default, the pattern adds the asset's version as a query string. For example, if version_format is set to %%s?version=%%s and version is set to 5, the asset's path would be /images/logo.png?version=5.

Note

All percentage signs (%) in the format string must be doubled to escape the character. Without escaping, values might inadvertently be interpreted as Service Container.

Tip

Some CDN's do not support cache-busting via query strings, so injecting the version into the actual file path is necessary. Thankfully, version_format is not limited to producing versioned query strings.

The pattern receives the asset's original path and version as its first and second parameters, respectively. Since the asset's path is one parameter, you cannot modify it in-place (e.g. /images/logo-v5.png); however, you can prefix the asset's path using a pattern of version-%%2$s/%%1$s, which would result in the path version-5/images/logo.png.

URL rewrite rules could then be used to disregard the version prefix before serving the asset. Alternatively, you could copy assets to the appropriate version path as part of your deployment process and forgot any URL rewriting. The latter option is useful if you would like older asset versions to remain accessible at their original URL.

version_strategy

type: string default: null

The service id of the asset version strategy applied to the assets. This option can be set globally for all assets and individually for each asset package:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# config/packages/framework.yaml
framework:
    assets:
        # this strategy is applied to every asset (including packages)
        version_strategy: 'app.asset.my_versioning_strategy'
        packages:
            foo_package:
                # this package removes any versioning (its assets won't be versioned)
                version: ~
            bar_package:
                # this package uses its own strategy (the default strategy is ignored)
                version_strategy: 'app.asset.another_version_strategy'
            baz_package:
                # this package inherits the default strategy
                base_path: '/images'

Note

This parameter cannot be set at the same time as version or json_manifest_path.

json_manifest_path

type: string default: null

The file path to a manifest.json file containing an associative array of asset names and their respective compiled names. A common cache-busting technique using a "manifest" file works by writing out assets with a "hash" appended to their file names (e.g. main.ae433f1cb.css) during a front-end compilation routine.

Tip

Symfony's Webpack Encore supports outputting hashed assets. Moreover, this can be incorporated into many other workflows, including Webpack and Gulp using webpack-manifest-plugin and gulp-rev, respectively.

This option can be set globally for all assets and individually for each asset package:

1
2
3
4
5
6
7
8
9
10
11
12
# config/packages/framework.yaml
framework:
    assets:
        # this manifest is applied to every asset (including packages)
        json_manifest_path: "%kernel.project_dir%/public/build/manifest.json"
        packages:
            foo_package:
                # this package uses its own manifest (the default file is ignored)
                json_manifest_path: "%kernel.project_dir%/public/build/a_different_manifest.json"
            bar_package:
                # this package uses the global manifest (the default file is used)
                base_path: '/images'

Note

This parameter cannot be set at the same time as version or version_strategy. Additionally, this option cannot be nullified at the package scope if a global manifest file is specified.

Tip

If you request an asset that is not found in the manifest.json file, the original - unmodified - asset path will be returned.

templating

4.3

The integration of the Templating component in FrameworkBundle has been deprecated since version 4.3 and will be removed in 5.0. That's why all the configuration options defined under framework.templating are deprecated too.

form

resources

type: string[] default: ['FrameworkBundle:Form']

4.3

The integration of the Templating component in FrameworkBundle has been deprecated since version 4.3 and will be removed in 5.0. Form theming with PHP templates will no longer be supported and you'll need to use Twig instead.

A list of all resources for form theming in PHP. This setting is not required if you're using the Twig format for your themes.

Assume you have custom global form themes in templates/form_themes/, you can configure this like:

1
2
3
4
5
6
# config/packages/framework.yaml
framework:
    templating:
        form:
            resources:
                - 'form_themes'

Note

The default form templates from FrameworkBundle:Form will always be included in the form resources.

See also

See How to Work with Form Themes for more information.

cache

type: string

The path to the cache directory for templates. When this is not set, caching is disabled.

Note

When using Twig templating, the caching is already handled by the TwigBundle and doesn't need to be enabled for the FrameworkBundle.

engines

type: string[] / string required

The Templating Engine to use. This can either be a string (when only one engine is configured) or an array of engines.

At least one engine is required.

loaders

type: string[]

An array (or a string when configuring just one loader) of service ids for templating loaders. Templating loaders are used to find and load templates from a resource (e.g. a filesystem or database). Templating loaders must implement LoaderInterface.

translator

cache_dir

type: string | null default: %kernel.cache_dir%/translations/

4.4

The cache_dir option was introduced in Symfony 4.4.

Defines the directory where the translation cache is stored. Use null to disable this cache.

enabled

type: boolean default: true or false depending on your installation

Whether or not to enable the translator service in the service container.

fallbacks

type: string|array default: ['en']

This option is used when the translation key for the current locale wasn't found.

See also

For more details, see Translations.

logging

default: true when the debug mode is enabled, false otherwise.

When true, a log entry is made whenever the translator cannot find a translation for a given key. The logs are made to the translation channel at the debug level for keys where there is a translation in the fallback locale, and the warning level if there is no translation to use at all.

formatter

type: string default: translator.formatter.default

The ID of the service used to format translation messages. The service class must implement the MessageFormatterInterface.

paths

type: array default: []

This option allows to define an array of paths where the component will look for translation files. The later a path is added, the more priority it has (translations from later paths overwrite earlier ones). Translations from the default_path have more priority than translations from all these paths.

default_path

type: string default: %kernel.project_dir%/translations

This option allows to define the path where the application translations files are stored.

property_access

magic_call

type: boolean default: false

When enabled, the property_accessor service uses PHP's magic __call() method when its getValue() method is called.

throw_exception_on_invalid_index

type: boolean default: false

When enabled, the property_accessor service throws an exception when you try to access an invalid index of an array.

throw_exception_on_invalid_property_path

type: boolean default: true

4.3

The throw_exception_on_invalid_property_path option was introduced in Symfony 4.3.

When enabled, the property_accessor service throws an exception when you try to access an invalid property path of an object.

property_info

enabled

type: boolean default: true or false depending on your installation

validation

enabled

type: boolean default: true or false depending on your installation

Whether or not to enable validation support.

This option will automatically be set to true when one of the child settings is configured.

enable_annotations

type: boolean default: false

If this option is enabled, validation constraints can be defined using annotations.

translation_domain

type: string | false default: validators

The translation domain that is used when translating validation constraint error messages. Use false to disable translations.

not_compromised_password

The NotCompromisedPassword constraint makes HTTP requests to a public API to check if the given password has been compromised in a data breach.

enabled

type: boolean default: true

4.3

The enabled option was introduced in Symfony 4.3.

If you set this option to false, no HTTP requests will be made and the given password will be considered valid. This is useful when you don't want or can't make HTTP requests, such as in dev and test environments or in continuous integration servers.

endpoint

type: string default: null

4.3

The endpoint option was introduced in Symfony 4.3.

By default, the NotCompromisedPassword constraint uses the public API provided by haveibeenpwned.com. This option allows to define a different, but compatible, API endpoint to make the password checks. It's useful for example when the Symfony application is run in an intranet without public access to the internet.

static_method

type: string | array default: ['loadValidatorMetadata']

Defines the name of the static method which is called to load the validation metadata of the class. You can define an array of strings with the names of several methods. In that case, all of them will be called in that order to load the metadata.

strict_email

type: Boolean default: false

4.1

The strict_email option was deprecated in Symfony 4.1. Use the new email_validation_mode option instead.

If this option is enabled, the egulias/email-validator library will be used by the Email constraint validator. Otherwise, the validator uses a simple regular expression to validate email addresses.

email_validation_mode

type: string default: loose

Sets the default value for Email validator. The possible values are:

  • loose, it uses a simple regular expression to validate the address (it checks that at least one @ character is present, etc.). This validation is too simple and it's recommended to use the html5 validation instead;
  • html5, it validates email addresses using the same regular expression defined in the HTML5 standard, making the backend validation consistent with the one provided by browsers;
  • strict, it uses the egulias/email-validator library (which you must install separately) to validate the addresses according to the RFC 5322.

mapping

paths

type: array default: ['config/validation/']

This option allows to define an array of paths with files or directories where the component will look for additional validation files:

1
2
3
4
5
6
# config/packages/framework.yaml
framework:
    validation:
        mapping:
            paths:
                - "%kernel.project_dir%/config/validation/"

annotations

cache

type: string default: 'file'

This option can be one of the following values:

file
Use the filesystem to cache annotations
none
Disable the caching of annotations
a service id
A service id referencing a Doctrine Cache implementation

file_cache_dir

type: string default: '%kernel.cache_dir%/annotations'

The directory to store cache files for annotations, in case annotations.cache is set to 'file'.

debug

type: boolean default: %kernel.debug%

Whether to enable debug mode for caching. If enabled, the cache will automatically update when the original file is changed (both with code and annotation changes). For performance reasons, it is recommended to disable debug mode in production, which will happen automatically if you use the default value.

secrets

decryption_env_var

type: string default: base64:default::SYMFONY_DECRYPTION_SECRET

The environment variable that contains the decryption key.

local_dotenv_file

type: string default: %kernel.project_dir%/.env.%kernel.environment%.local

Path to an dotenv file that holds secrets. This is primarily used for testing.

vault_directory

type: string default: %kernel.project_dir%/config/secrets/%kernel.environment%

The directory where the vault of secrets is stored.

serializer

enabled

type: boolean default: true or false depending on your installation

Whether to enable the serializer service or not in the service container.

enable_annotations

type: boolean default: false

If this option is enabled, serialization groups can be defined using annotations.

See also

For more information, see How to Use the Serializer.

name_converter

type: string

The name converter to use. The CamelCaseToSnakeCaseNameConverter name converter can enabled by using the serializer.name_converter.camel_case_to_snake_case value.

See also

For more information, see The Serializer Component.

circular_reference_handler

type string

The service id that is used as the circular reference handler of the default serializer. The service has to implement the magic __invoke($object) method.

See also

For more information, see The Serializer Component.

mapping

paths

type: array default: []

This option allows to define an array of paths with files or directories where the component will look for additional serialization files.

php_errors

log

type: boolean|int default: %kernel.debug%

Use the application logger instead of the PHP logger for logging PHP errors. When an integer value is used, it also sets the log level. Those integer values must be the same used in the error_reporting PHP option.

throw

type: boolean default: %kernel.debug%

Throw PHP errors as \ErrorException instances. The parameter debug.error_handler.throw_at controls the threshold.

cache

app

type: string default: cache.adapter.filesystem

The cache adapter used by the cache.app service. The FrameworkBundle ships with multiple adapters: cache.adapter.apcu, cache.adapter.doctrine, cache.adapter.system, cache.adapter.filesystem, cache.adapter.psr6, cache.adapter.redis, cache.adapter.memcached and cache.adapter.pdo.

There's also a special adapter called cache.adapter.array which stores contents in memory using a PHP array and it's used to disable caching (mostly on the dev environment).

Tip

It might be tough to understand at the beginning, so to avoid confusion remember that all pools perform the same actions but on different medium given the adapter they are based on. Internally, a pool wraps the definition of an adapter.

system

type: string default: cache.adapter.system

The cache adapter used by the cache.system service. It supports the same adapters available for the cache.app service.

directory

type: string default: %kernel.cache_dir%/pools

The path to the cache directory used by services inheriting from the cache.adapter.filesystem adapter (including cache.app).

default_doctrine_provider

type: string

The service name to use as your default Doctrine provider. The provider is available as the cache.default_doctrine_provider service.

default_psr6_provider

type: string

The service name to use as your default PSR-6 provider. It is available as the cache.default_psr6_provider service.

default_redis_provider

type: string default: redis://localhost

The DSN to use by the Redis provider. The provider is available as the cache.default_redis_provider service.

default_memcached_provider

type: string default: memcached://localhost

The DSN to use by the Memcached provider. The provider is available as the cache.default_memcached_provider service.

default_pdo_provider

type: string default: doctrine.dbal.default_connection

The service id of the database connection, which should be either a PDO or a Doctrine DBAL instance. The provider is available as the cache.default_pdo_provider service.

pools

type: array

A list of cache pools to be created by the framework extension.

See also

For more information about how pools work, see cache pools.

To configure a Redis cache pool with a default lifetime of 1 hour, do the following:

1
2
3
4
5
6
7
# config/packages/framework.yaml
framework:
    cache:
        pools:
            cache.mycache:
                adapter: cache.adapter.redis
                default_lifetime: 3600
name

type: prototype

Name of the pool you want to create.

Note

Your pool name must differ from cache.app or cache.system.

adapter

type: string default: cache.app

The service name of the adapter to use. You can specify one of the default services that follow the pattern cache.adapter.[type]. Alternatively you can specify another cache pool as base, which will make this pool inherit the settings from the base pool as defaults.

Note

Your service MUST implement the Psr\Cache\CacheItemPoolInterface interface.

public

type: boolean default: false

Whether your service should be public or not.

tags

type: boolean | string default: null

Whether your service should be able to handle tags or not. Can also be the service id of another cache pool where tags will be stored.

default_lifetime

type: integer

Default lifetime of your cache items in seconds.

provider

type: string

Overwrite the default service name or DSN respectively, if you do not want to use what is configured as default_X_provider under cache. See the description of the default provider setting above for information on how to specify your specific provider.

clearer

type: string

The cache clearer used to clear your PSR-6 cache.

See also

For more information, see Psr6CacheClearer.

prefix_seed

type: string default: _%kernel.project_dir%.%kernel.container_class%

This value is used as part of the "namespace" generated for the cache item keys. A common practice is to use the unique name of the application (e.g. symfony.com) because that prevents naming collisions when deploying multiple applications into the same path (on different servers) that share the same cache backend.

It's also useful when using blue/green deployment strategies and more generally, when you need to abstract out the actual deployment directory (for example, when warming caches offline).

lock

type: string | array

The default lock adapter. If not defined, the value is set to semaphore when available, or to flock otherwise. Store's DSN are also allowed.

enabled

type: boolean default: true

Whether to enable the support for lock or not. This setting is automatically set to true when one of the child settings is configured.

resources

type: array

A list of lock stores to be created by the framework extension.

1
2
3
# config/packages/lock.yaml
framework:
    lock: '%env(LOCK_DSN)%'

See also

For more details, see Dealing with Concurrency with Locks.

name

type: prototype

Name of the lock you want to create.

Tip

If you want to use the `RetryTillSaveStore` for non-blocking locks, you can do it by decorating the store service:

1
2
3
4
lock.invoice.retry_till_save.store:
    class: Symfony\Component\Lock\Store\RetryTillSaveStore
    decorates: lock.invoice.store
    arguments: ['@lock.invoice.retry_till_save.store.inner', 100, 50]

mailer

4.3

The mailer settings were introduced in Symfony 4.3.

dsn

type: string default: null

The DSN used by the mailer. When several DSN may be used, use transports option (see below) instead.

transports

type: array

A list of DSN that can be used by the mailer. A transport name is the key and the dsn is the value.

envelope

sender

type: string

Sender used by the Mailer. Keep in mind that this setting override a sender set in the code.

recipients

type: array

Recipients used by the Mailer. Keep in mind that this setting override recipients set in the code.

1
2
3
4
5
6
# config/packages/mailer.yaml
framework:
    mailer:
        dsn: 'smtp://localhost:25'
        envelope:
            recipients: ['admin@symfony.com', 'lead@symfony.com']

enabled

type: boolean default: true or false depending on your installation

Adds a Link HTTP header to the response.

workflows

type: array

A list of workflows to be created by the framework extension:

1
2
3
4
5
# config/packages/workflow.yaml
framework:
    workflows:
        my_workflow:
            # ...

See also

See also the article about using workflows in Symfony applications.

enabled

type: boolean default: false

Whether to enable the support for workflows or not. This setting is automatically set to true when one of the child settings is configured.

name

type: prototype

Name of the workflow you want to create.

audit_trail

type: boolean

If set to true, the AuditTrailListener will be enabled.

initial_marking

type: string | array

One of the places or empty. If not null and the supported object is not already initialized via the workflow, this place will be set.

marking_store

type: array

Each marking store can define any of these options:

  • arguments (type: array)
  • service (type: string)
  • type (type: string allow value: 'method')
metadata

type: array

Metadata available for the workflow configuration. Note that places and transitions can also have their own metadata entry.

places

type: array

All available places (type: string) for the workflow configuration.

supports

type: string | array

The FQCN (fully-qualified class name) of the object supported by the workflow configuration or an array of FQCN if multiple objects are supported.

support_strategy

type: string

transitions

type: array

Each marking store can define any of these options:

  • from (type: string or array) value from the places, multiple values are allowed for both workflow and state_machine;
  • guard (type: string) an ExpressionLanguage compatible expression to block the transition;
  • name (type: string) the name of the transition;
  • to (type: string or array) value from the places, multiple values are allowed only for workflow.
type

type: string possible values: 'workflow' or 'state_machine'

Defines the kind of workflow that is going to be created, which can be either a normal workflow or a state machine. Read this article to know their differences.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
    Version