From a2f128875ec7f2244ba1213ed0e9edb183e0a312 Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Fri, 21 Mar 2025 18:49:42 +0100
Subject: [PATCH 1/4] [Security]: Simplifying the DEV firewall's pattern

Page: https://symfony.com/doc/6.4/security.html#the-firewall

Reasons:
* The inner parentheses `_(profiler|wdt)` are overly complicated
* AssetMapper recommends to have all assets under `/asset/`: https://symfony.com/doc/6.4/frontend/asset_mapper.html
---
 security.rst | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/security.rst b/security.rst
index fc0cf9c9377..b70e2084da1 100644
--- a/security.rst
+++ b/security.rst
@@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc).
                 # the order in which firewalls are defined is very important, as the
                 # request will be handled by the first firewall whose pattern matches
                 dev:
-                    pattern: ^/(_(profiler|wdt)|css|images|js)/
+                    pattern: ^/(_profiler|_wdt|assets)/
                     security: false
                 # a firewall with no pattern should be defined last because it will match all requests
                 main:
@@ -529,7 +529,7 @@ will be able to authenticate (e.g. login form, API token, etc).
                 <!-- the order in which firewalls are defined is very important, as the
                      request will be handled by the first firewall whose pattern matches -->
                 <firewall name="dev"
-                    pattern="^/(_(profiler|wdt)|css|images|js)/"
+                    pattern="^/(_profiler|_wdt|assets)/"
                     security="false"/>
 
                 <!-- a firewall with no pattern should be defined last because it will match all requests -->
@@ -555,7 +555,7 @@ will be able to authenticate (e.g. login form, API token, etc).
             // the order in which firewalls are defined is very important, as the
             // request will be handled by the first firewall whose pattern matches
             $security->firewall('dev')
-                ->pattern('^/(_(profiler|wdt)|css|images|js)/')
+                ->pattern('^/(_profiler|_wdt|assets)/')
                 ->security(false)
             ;
 
@@ -598,9 +598,7 @@ don't accidentally block Symfony's dev tools - which live under URLs like
                         pattern:
                             - ^/_profiler/
                             - ^/_wdt/
-                            - ^/css/
-                            - ^/images/
-                            - ^/js/
+                            - ^/assets/
             # ...
 
         .. code-block:: php

From 00a2d478ae09c289bdde60b9e9880c59bc6d383b Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Fri, 21 Mar 2025 19:02:50 +0100
Subject: [PATCH 2/4] Update security.rst

---
 security.rst | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/security.rst b/security.rst
index b70e2084da1..a821fbff64d 100644
--- a/security.rst
+++ b/security.rst
@@ -612,9 +612,7 @@ don't accidentally block Symfony's dev tools - which live under URLs like
                     ->pattern([
                         '^/_profiler/',
                         '^/_wdt/',
-                        '^/css/',
-                        '^/images/',
-                        '^/js/',
+                        '^/assets/',
                     ])
                     ->security(false)
                 ;

From db906404bd9fc4e981cf7f8c31d82d1594dac01e Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Sun, 23 Mar 2025 11:20:42 +0100
Subject: [PATCH 3/4] Update security.rst

---
 security.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security.rst b/security.rst
index a821fbff64d..caf7b78a95c 100644
--- a/security.rst
+++ b/security.rst
@@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc).
                 # the order in which firewalls are defined is very important, as the
                 # request will be handled by the first firewall whose pattern matches
                 dev:
-                    pattern: ^/(_profiler|_wdt|assets)/
+                    pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore
                     security: false
                 # a firewall with no pattern should be defined last because it will match all requests
                 main:
@@ -529,8 +529,8 @@ will be able to authenticate (e.g. login form, API token, etc).
                 <!-- the order in which firewalls are defined is very important, as the
                      request will be handled by the first firewall whose pattern matches -->
                 <firewall name="dev"
-                    pattern="^/(_profiler|_wdt|assets)/"
-                    security="false"/>
+                    pattern="^/_profiler|_wdt|assets|build/"
+                    security="false"/> <!-- `assets` is for AssetMapper; `build` is for Webpack Encore -->
 
                 <!-- a firewall with no pattern should be defined last because it will match all requests -->
                 <firewall name="main"
@@ -555,7 +555,7 @@ will be able to authenticate (e.g. login form, API token, etc).
             // the order in which firewalls are defined is very important, as the
             // request will be handled by the first firewall whose pattern matches
             $security->firewall('dev')
-                ->pattern('^/(_profiler|_wdt|assets)/')
+                ->pattern('^/_profiler|_wdt|assets|build/') // `assets` is for AssetMapper; `build` is for Webpack Encore
                 ->security(false)
             ;
 

From 94c36b63189c88e5ebc02b5da5a2551ced58a13f Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Sun, 8 Jun 2025 11:19:50 +0200
Subject: [PATCH 4/4] Update security.rst

Co-authored-by: Christian Flothmann <christian.flothmann@gmail.com>
---
 security.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security.rst b/security.rst
index caf7b78a95c..d0af7ac7e93 100644
--- a/security.rst
+++ b/security.rst
@@ -555,7 +555,7 @@ will be able to authenticate (e.g. login form, API token, etc).
             // the order in which firewalls are defined is very important, as the
             // request will be handled by the first firewall whose pattern matches
             $security->firewall('dev')
-                ->pattern('^/_profiler|_wdt|assets|build/') // `assets` is for AssetMapper; `build` is for Webpack Encore
+                ->pattern('^/(_profiler|_wdt|assets|build)/') // `assets` is for AssetMapper; `build` is for Webpack Encore
                 ->security(false)
             ;
 

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/20794.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/20794.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/20794.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony-docs/pull/20794.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>