zhortein / dev-security-bundle
Secure your Symfony dev environment without losing comfort.
Installs: 0
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Type:symfony-bundle
pkg:composer/zhortein/dev-security-bundle
Requires
- php: >=8.3
- symfony/config: ~7.0
- symfony/dependency-injection: ~7.0
- symfony/http-kernel: ~7.0
- symfony/yaml: ~7.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^v3.75.0
- phpstan/phpstan: ^2.1
- phpstan/phpstan-doctrine: ^2.0
- phpstan/phpstan-symfony: ^2.0
- phpunit/php-code-coverage: ^12.3.1
- phpunit/phpunit: ^12.2.5
- roave/security-advisories: dev-latest
- symfony/framework-bundle: ^7.0
- symfony/phpunit-bridge: ^7.3
- symfony/test-pack: ^1.0
This package is auto-updated.
Last update: 2025-10-18 08:27:03 UTC
README
🔒 Secure your Symfony dev environment without losing comfort.
This bundle protects Symfony development environments from accidental exposure of sensitive data.
It restricts access to the Web Debug Toolbar, Profiler, and other debug routes to a whitelist of IPs or reverse hostnames.
🚀 Installation
composer require --dev zhortein/dev-security-bundle
Then register it (Symfony Flex usually handles this automatically):
// config/bundles.php return [ Zhortein\DevSecurityBundle\ZhorteinDevSecurityBundle::class => ['dev' => true, 'test' => true], ];
⚙️ Configuration
Create config/packages/zhortein_dev_security.yaml with configuration options:
zhortein_dev_security: enabled: true allowed_ips: - 127.0.0.1 - ::1 - 192.168.1.0/24 - 10.8.0.0/16 allowed_hosts: - "*.mydomain.fr" - "*.otherdomain.com" log_blocked_attempts: true
🧠 Features
✅ Restricts Symfony Web Debug Toolbar & Profiler to allowed IPs / CIDR / hostnames
✅ Logs blocked attempts for audit
✅ Optional #[RestrictedToDevWhitelist] attribute to secure sensitive routes (e.g. /dev/info)
✅ Zero dependency, works out of the box
🧰 Usage Example
use Zhortein\DevSecurityBundle\Attribute\RestrictedToDevWhitelist; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Annotation\Route; #[Route('/dev/info')] #[RestrictedToDevWhitelist] public function devInfo(): Response { return new Response('This route is visible only to authorized developer IPs.'); }
If accessed from an unauthorized IP, the bundle throws AccessDeniedHttpException (403).
🛠️ Roadmap
| Version | Feature |
|---|---|
| 1.0.0 | Base security (profiler restriction, route attribute) |
| 1.1.0 | Command-line helper to list current IPs and detect reverses |
| 1.2.0 | Middleware to disable exception stacktraces in preprod |
| 2.0.0 | Audit dashboard & metrics integration |
🧑💻 Author
David Renard CEO at Isatis Concept
📝 License
MIT © David Renard