Adds extra security-related features in your Symfony application
NelmioSecurityBundle
About
The NelmioSecurityBundle provides additional security features for your Symfony application.
Installation
Require the nelmio/security-bundle package in your composer.json and update your dependencies:
composer require nelmio/security-bundle
The bundle should be automatically enabled by [Symfony Flex][1]. If you don't use Flex, you'll need to enable it manually as explained [in the docs][2].
Features
Read [the docs][2] for the details and configuration needed for each feature:
- Content Security Policy: Cross site scripting attacks (XSS) can be mitigated
- Signed Cookies: Specify certain cookies to be signed, so that the user cannot modify
- Clickjacking Protection: X-Frame-Options header is added to all responses to prevent your
- External Redirects Detection: Redirecting from your site to arbitrary URLs based on user
- Forced HTTPS/SSL Handling: This forces all requests to go through SSL. It will also
- Flexible HTTPS/SSL Handling: If you don't want to force all users to use HTTPS, you should
- Disable Content Type Sniffing: Require that scripts are loaded using the correct mime type.
- (DEPRECATED) XSS Protection: Enables/Disables Microsoft XSS Protection on compatible browsers (IE 8 and newer).
- Referrer Policy:
Referrer-Policyheader is added to all responses to control theRefererheader
Testing
The bundle provides PHPUnit assertions to test security headers in your application. See TESTING.md for details.
Usage
See [the documentation][2] for usage instructions.
License
Released under the MIT License, see LICENSE.
[1]: https://symfony.com/doc/current/setup/flex.html [2]: https://symfony.com/bundles/NelmioSecurityBundle/