diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 4cdf689758e..81b85e53063 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -60,10 +60,24 @@ secret **type**: ``string`` **required** -This is a string that should be unique to your application. In practice, -it's used for generating the CSRF tokens, but it could be used in any other -context where having a unique string is useful. It becomes the service container -parameter named ``kernel.secret``. +This is a string that should be unique to your application and it's commonly used +to add more entropy to security related operations. Its value should be a series of +characters, numbers and symbols chosen randomly and the recommended length is +around 32 characters. + +In practice, Symfony uses this value for generating the :ref:`CSRF tokens `, +for encrypting the cookies used in the :doc:`remember me functionality ` +and for creating signed URIs when using :ref:`ESI (Edge Side Includes) ` . + +This option becomes the service container parameter named ``kernel.secret``, +which you can use whenever the application needs an immutable random string +to add more entropy. + +As with any other security-related parameter, it is a good practice to change this +value from time to time. However, keep in mind that changing this value will +invalidate all signed URIs and Remember Me cookies. That's why, after changing +this value, you should regenerate the application cache and log out all the +application users. .. _configuration-framework-http_method_override: