Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork5.2k
[Security] Document the newexpose_security_errors option#21008
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Changes fromall commits
File filter
Filter by extension
Conversations
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -23,7 +23,8 @@ key in your application configuration. | ||
| * `access_denied_url`_ | ||
| * `erase_credentials`_ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. shouldn't we keep it here and maybe sufis it with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Yes! Let's do that. | ||
| * `expose_security_errors`_ | ||
| * `hide_user_not_found`_ (deprecated) | ||
| * `session_fixation_strategy`_ | ||
| **Advanced Options**: | ||
| @@ -71,11 +72,39 @@ after authentication:: | ||
| Since Symfony 7.3, ``eraseCredentials()`` methods are deprecated and are | ||
| not called if they have the ``#[\Deprecated]`` attribute. | ||
| expose_security_errors | ||
| ---------------------- | ||
| **type**: ``string`` **default**: ``'none'`` | ||
| .. deprecated:: 7.3 | ||
| The ``expose_security_errors`` option was introduced in Symfony 7.3 | ||
| User enumeration is a common security issue where attackers infer valid usernames | ||
javiereguiluz marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| based on error messages. For example, a message like "This user does not exist" | ||
| shown by your login form reveals whether a username exists. | ||
| This option lets you hide some or all errors related to user accounts | ||
| (e.g. blocked or expired accounts) to prevent this issue. Instead, these | ||
| errors will trigger a generic ``BadCredentialsException``. The value of this | ||
| option can be one of the following: | ||
| * ``'none'``: hides all user-related security exceptions; | ||
| * ``'account_status'``: shows account-related exceptions (e.g. blocked or expired | ||
| accounts) but only for users who provided the correct password; | ||
| * ``'all'``: shows all security-related exceptions. | ||
| hide_user_not_found | ||
| ------------------- | ||
| **type**: ``boolean`` **default**: ``true`` | ||
| .. deprecated:: 7.3 | ||
| The ``hide_user_not_found`` option was deprecated in favor of the | ||
| ``expose_security_errors`` option in Symfony 7.3. | ||
| If ``true``, when a user is not found a generic exception of type | ||
| :class:`Symfony\\Component\\Security\\Core\\Exception\\BadCredentialsException` | ||
| is thrown with the message "Bad credentials". | ||
Uh oh!
There was an error while loading.Please reload this page.