Closed wouterj closed 1 year ago
ping @symfony/mergers let's make a decision here if we want this or not :)
Although having it makes sense for any web app, I don't feel comfortable with requiring a package that is not from the Symfony organization and to which no core member has write permissions. The pack's dependencies must support latest versions with no delay, which we cannot guarantee here
Ok, given the 3 +1's on your message let's close this. We can always revisit if things change in the future.
The NelmioSecurityBundle has been part of the official Symfony recipes repo since the start. The headers provided by the bundle create a safe start for web applications. I think the webapp-pack is the perfect place to install this bundle, giving all users a safe start.
We might need to have a look at the default recipe again: https://github.com/symfony/recipes/blob/main/nelmio/security-bundle/2.4/config/packages/nelmio_security.yaml It should provide a safe start, but without adding technical depth to an application (e.g. do we want to disable framing by default, like currently done, or would this confuse new users too much?).
cc @franmomu