Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Contribution] Path Based configuration #234

Open
henrym2 opened this issue Aug 11, 2020 · 4 comments
Open

[Feature Contribution] Path Based configuration #234

henrym2 opened this issue Aug 11, 2020 · 4 comments

Comments

@henrym2
Copy link

henrym2 commented Aug 11, 2020

Hi Nelmio Team,

Based on a number of other request for a similar feature set in #232 #206 , I would like to propose the inclusion of path based configuration, as constructed in the Nelmio/NelmioCorsBundle. This would allow developers to specify security levels in indivual paths as opposed to relying on an all encompassing "global" config, that is likely to either 1) break some core features or bundles that the developer has no control over or 2) not be a robust enough security measure against attacks due to exemptions.

I would also like to accompany this with a presets system. I have implemented something along the same lines in the Ise/WebSecurityBundle. This way, preset configurations defined by the bundle could be used, in combination with a per-path configuration system to make it easier for developers to implement high quality web security in their applications.

I'd love to hear some comments with respect to a feature like this and wheither or not you would be open to me openeing a PR that might implement it.

Thanks for reading!
@Seldaek
Copy link
Member

Seldaek commented Feb 4, 2021

Overall yes that sounds good to have I think, but there is (as you can see) very little time on the maintenance side of this bundle the last few years, so I can't guarantee it'll be reviewed in a timely manner.

It's mostly been @romainneutron maintaining things though lately, so maybe he should confirm before you invest any time in this.

@romainneutron
Copy link
Collaborator

I say yes. As Jordi said, I miss time to do everything I would, but I would do my best to help you we needed

@shahariaazam
Copy link

shahariaazam commented Aug 18, 2021
edited

That would be a very interesting feature. But to clarify it correctly, what config we are proposing here?

nelmio_security:
    clickjacking:
        paths:
            '^/.*': DENY
+        disallowed_in:
+            - '/path_1'
+            - '/path_2'

Or, this

nelmio_security:
+    '*':
        clickjacking:
            paths:
                '^/.*': DENY
+    '/specific-path':
        clickjacking:
            paths:
                '^/.*': DENY

What do you think? @Seldaek @romainneutron

@henrym2
Copy link
Author

henrym2 commented Aug 18, 2021

I would be suggesting the second, where each path has it's own list of config options. Along with the ability to set a "global" config which applys to all routes unless overwritten by a route specific config.

This package has an example of what I suggset -> ise/websecuitybundle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@romainneutron @Seldaek @shahariaazam @henrym2