At Nelmio we love Symfony2. As contributors to the core development, we care a lot about not only the project itself, but the entire ecosystem.
And that’s why we’re thrilled to announce the immediate availability of the NelmioSecurityBundle!
This Symfony2 bundle provides security-enhancing features for your application. It is not a replacement for the core SecurityBundle, it provides generic purpose security features, not related to user management.
Signed Cookies: If you would like to make sure your cookies have not been tampered with, you can sign them. This can be used to add more security to session cookies, for example.
Clickjacking Protection: Clickjacking is a technique which fools users into completing an action on your site by making them click into a hidden iframe containing your website. Modern browsers have a mechanism to deny embedding iframes and we help you leverage it.
External Redirects Detection: Redirecting to arbitrary sites based on user input can be dangerous, as it can lead to phishing. This bundle allows you to globally whitelist sites that can be redirected to, while blocking other redirects out of your domain.
Improved HTTPS/SSL Handling: It comes in two flavors, one way to ensure your users always navigate your site in HTTPS, both with an automatic redirect and using HTTP Strict Transport Security. The other way is to only make sure that logged-in users always navigate with HTTPS, avoiding that their session cookie get stolen on public Wi-Fi and others. Anonymous users can still use the non-HTTPS site freely. The first mode is highly recommended, but we worked on the second for the sake of completeness and experimentation.
We hope you enjoy these features as much as we do and we are looking forward to hearing your comments! Head to the README to learn about it in more detail.