Files
TijdVoorDeTest/config/packages/framework.yaml
T
Marijn 89e7dd09ba Add rate limiting to login and season-code entry points
Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.
2026-07-13 09:56:39 +02:00

34 lines
1.0 KiB
YAML

# see https://symfony.com/doc/current/reference/configuration/framework.html
framework:
secret: '%env(APP_SECRET)%'
# Note that the session will be started ONLY if you read or write from it.
session: true
form:
csrf_protection:
enabled: true
#esi: true
#fragments: true
rate_limiter:
# Throttles guesses against the public season-code entry point (config/packages/security.yaml
# handles throttling for the backoffice /login form separately).
season_code:
policy: sliding_window
limit: 20
interval: '1 minute'
when@prod:
framework:
# shortcut for private IP address ranges of your proxy
trusted_proxies: 'private_ranges'
# or, if your proxy instead uses the "Forwarded" header
trusted_headers: [ 'x-forwarded-proto' ]
when@test:
framework:
test: true
session:
storage_factory_id: session.storage.factory.mock_file
rate_limiter:
season_code:
limit: 3