README

🔒 Secure your Symfony dev environment without losing comfort.

This bundle protects Symfony development environments from accidental exposure of sensitive data.
It restricts access to the Web Debug Toolbar, Profiler, and other debug routes to a whitelist of IPs or reverse hostnames.

🚀 Installation

composer require --dev zhortein/dev-security-bundle

Then register it (Symfony Flex usually handles this automatically):

// config/bundles.php
return [
    Zhortein\DevSecurityBundle\ZhorteinDevSecurityBundle::class => ['dev' => true, 'test' => true],
];

⚙️ Configuration

Create config/packages/zhortein_dev_security.yaml with configuration options:

zhortein_dev_security:
    enabled: true
    allowed_ips:
        - 127.0.0.1
        - ::1
        - 192.168.1.0/24
        - 10.8.0.0/16
    allowed_hosts:
        - "*.mydomain.fr"
        - "*.otherdomain.com"
    log_blocked_attempts: true

🧠 Features

✅ Restricts Symfony Web Debug Toolbar & Profiler to allowed IPs / CIDR / hostnames ✅ Logs blocked attempts for audit ✅ Optional #[RestrictedToDevWhitelist] attribute to secure sensitive routes (e.g. /dev/info) ✅ Zero dependency, works out of the box

🧰 Usage Example

use Zhortein\DevSecurityBundle\Attribute\RestrictedToDevWhitelist;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;

#[Route('/dev/info')]
#[RestrictedToDevWhitelist]
public function devInfo(): Response
{
    return new Response('This route is visible only to authorized developer IPs.');
}

If accessed from an unauthorized IP, the bundle throws AccessDeniedHttpException (403).

🛠️ Roadmap

🧑‍💻 Author

David Renard CEO at Isatis Concept

📝 License

MIT © David Renard