Skip to content

Commit 8eeecb8

Browse files
javiereguiluzjaviereguiluz
committed
minor #21008 [Security] Document the new expose_security_errors option (javiereguiluz)
This PR was squashed before being merged into the 7.3 branch. Discussion ---------- [Security] Document the new `expose_security_errors` option Fixes #20612. Commits ------- d923acb [Security] Document the new `expose_security_errors` option
2 parents fa9df56 + d923acb commit 8eeecb8

File tree

1 file changed

+30
-1
lines changed

1 file changed

+30
-1
lines changed

reference/configuration/security.rst

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,8 @@ key in your application configuration.
2323

2424
* `access_denied_url`_
2525
* `erase_credentials`_
26-
* `hide_user_not_found`_
26+
* `expose_security_errors`_
27+
* `hide_user_not_found`_ (deprecated)
2728
* `session_fixation_strategy`_
2829

2930
**Advanced Options**:
@@ -71,11 +72,39 @@ after authentication::
7172
Since Symfony 7.3, ``eraseCredentials()`` methods are deprecated and are
7273
not called if they have the ``#[\Deprecated]`` attribute.
7374

75+
expose_security_errors
76+
----------------------
77+
78+
**type**: ``string`` **default**: ``'none'``
79+
80+
.. deprecated:: 7.3
81+
82+
The ``expose_security_errors`` option was introduced in Symfony 7.3
83+
84+
User enumeration is a common security issue where attackers infer valid usernames
85+
based on error messages. For example, a message like "This user does not exist"
86+
shown by your login form reveals whether a username exists.
87+
88+
This option lets you hide some or all errors related to user accounts
89+
(e.g. blocked or expired accounts) to prevent this issue. Instead, these
90+
errors will trigger a generic ``BadCredentialsException``. The value of this
91+
option can be one of the following:
92+
93+
* ``'none'``: hides all user-related security exceptions;
94+
* ``'account_status'``: shows account-related exceptions (e.g. blocked or expired
95+
accounts) but only for users who provided the correct password;
96+
* ``'all'``: shows all security-related exceptions.
97+
7498
hide_user_not_found
7599
-------------------
76100

77101
**type**: ``boolean`` **default**: ``true``
78102

103+
.. deprecated:: 7.3
104+
105+
The ``hide_user_not_found`` option was deprecated in favor of the
106+
``expose_security_errors`` option in Symfony 7.3.
107+
79108
If ``true``, when a user is not found a generic exception of type
80109
:class:`Symfony\\Component\\Security\\Core\\Exception\\BadCredentialsException`
81110
is thrown with the message "Bad credentials".

0 commit comments

Comments
 (0)