minor #17309 [Security] Add caution on symfony cli web server exposing env vars on private network (94noni)

javiereguiluz · javiereguiluz · commit 864c02871305 · 2023-04-04T17:50:46.000+02:00
This PR was squashed before being merged into the 6.2 branch. Discussion ---------- [Security] Add caution on symfony cli web server exposing env vars on private network Hi, One can understood that this web server is a great tool for development purposes but this addition should be added imho for knowledge :) Context: when checking some local data accessible on local network with coworker we arrived to display a symfony cli served app profiler (obviously it is in `dev` env) and in the profiler > request/response panel > server parameters > regular env vars => **thus exposing also symfony unrelated env vars which are included** friendly ping `@wuchen90` ^^ Commits ------- 9c3023e [Security] Add caution on symfony cli web server exposing env vars on private network
diff --git a/setup/symfony_server.rst b/setup/symfony_server.rst
@@ -11,6 +11,13 @@ other features that sooner or later you'll need when developing web projects.
 Moreover, the server is not tied to Symfony and you can also use it with any
 PHP application and even with HTML or single page applications.
 
+.. caution::
+
+    This server will automatically expose all environment variables available
+    in the CLI tool context, **which can lead to security issues**.
+    One should assert that its server is not accessible on local network without
+    consent.
+
 Installation
 ------------
 
