You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For example RSA private keys for internal application's crypto tasks like outcoming TLS connection or simple crypting persistence data on application level, but not for incoming web-server's HTTPS connection.
I found in docs about sensitive data the only http://symfony.com/doc/3.2/best_practices/configuration.html#moving-sensitive-options-outside-of-symfony-entirely. But it is not suitable well when sensitive data is too large to store them in ENV and application's deploy user has write permission only to application root directory (excepts store files outside %kernel.root_dir%/../ and pass the path in ENV). We can store the data in %kernel.root_dir%/../var directory (like LexikJWTAuthenticationBundle by default), but usually application user (www-data for instance) has write permission to whole it and it seems not securely. Also afaik symfony var folder for data generated by application itself.
The text was updated successfully, but these errors were encountered:
@VolCh thanks for reporting this issue. Fortunately, things have improved a lot since you reported this issue originally. In modern Symfony versions we have "env var processors" (https://symfony.com/doc/current/configuration/external_parameters.html) which let you store the credentials in files stored anywhere on your server and get their contents, JSON-decode them if needed, etc. So let's close this issue as fixed. Thanks!
…viereguiluz)
This PR was merged into the 4.0 branch.
Discussion
----------
Link to the env vars article from the Best Practices
I thought about this after reading #7361.
Commits
-------
43addfa Link to the env vars article from the Best Practices
For example RSA private keys for internal application's crypto tasks like outcoming TLS connection or simple crypting persistence data on application level, but not for incoming web-server's HTTPS connection.
I found in docs about sensitive data the only http://symfony.com/doc/3.2/best_practices/configuration.html#moving-sensitive-options-outside-of-symfony-entirely. But it is not suitable well when sensitive data is too large to store them in ENV and application's deploy user has write permission only to application root directory (excepts store files outside %kernel.root_dir%/../ and pass the path in ENV). We can store the data in %kernel.root_dir%/../var directory (like LexikJWTAuthenticationBundle by default), but usually application user (www-data for instance) has write permission to whole it and it seems not securely. Also afaik symfony var folder for data generated by application itself.
The text was updated successfully, but these errors were encountered: