NelmioSecurityBundle icon indicating copy to clipboard operation
NelmioSecurityBundle copied to clipboard

Published 20 hours ago verified publisher icon nelmio

[Feature Contribution] Path Based configuration

Open henrym2 opened this issue 3 years ago • 4 comments

Hi Nelmio Team,

Based on a number of other request for a similar feature set in #232 #206 , I would like to propose the inclusion of path based configuration, as constructed in the Nelmio/NelmioCorsBundle. This would allow developers to specify security levels in indivual paths as opposed to relying on an all encompassing "global" config, that is likely to either 1) break some core features or bundles that the developer has no control over or 2) not be a robust enough security measure against attacks due to exemptions.

I would also like to accompany this with a presets system. I have implemented something along the same lines in the Ise/WebSecurityBundle. This way, preset configurations defined by the bundle could be used, in combination with a per-path configuration system to make it easier for developers to implement high quality web security in their applications.

I'd love to hear some comments with respect to a feature like this and wheither or not you would be open to me openeing a PR that might implement it.

Thanks for reading!

henrym2 avatar Aug 11 '20 15:08 henrym2

Overall yes that sounds good to have I think, but there is (as you can see) very little time on the maintenance side of this bundle the last few years, so I can't guarantee it'll be reviewed in a timely manner.

It's mostly been @romainneutron maintaining things though lately, so maybe he should confirm before you invest any time in this.

Seldaek avatar Feb 04 '21 10:02 Seldaek

I say yes. As Jordi said, I miss time to do everything I would, but I would do my best to help you we needed

romainneutron avatar Feb 05 '21 07:02 romainneutron

That would be a very interesting feature. But to clarify it correctly, what config we are proposing here?

nelmio_security:
    clickjacking:
        paths:
            '^/.*': DENY
+        disallowed_in:
+            - '/path_1'
+            - '/path_2'

Or, this

nelmio_security:
+    '*':
        clickjacking:
            paths:
                '^/.*': DENY
+    '/specific-path':
        clickjacking:
            paths:
                '^/.*': DENY

What do you think? @Seldaek @romainneutron

shahariaazam avatar Aug 18 '21 08:08 shahariaazam

I would be suggesting the second, where each path has it's own list of config options. Along with the ability to set a "global" config which applys to all routes unless overwritten by a route specific config.

This package has an example of what I suggset -> ise/websecuitybundle

henrym2 avatar Aug 18 '21 08:08 henrym2