Hi *, Interesting that there are so many replies. Ill reply to the initial posting, cause I feel that I can't agree on any other.
My proposal is: make symfony safe for people that don't know what they are doing. I say that because: http://www.google.de/search?q=inurl:frontend_dev.php I just assume that everything was deployed to the live system. As this should work also for all servers it shouldn't be a .htaccess based solution. To follow my proposal, and make it really simple: Add to all non production controllers: <?php //This prevents accidental access to non production frontends if (!in_array($_SERVER['REMOTE_ADDR'], array('127.0.0.1'))) { echo('Your IP '.$_SERVER['REMOTE_ADDR'].' is not in set of allowed IPs.'); echo('Check '.__FILE__.' For more information. '); die(); } ?> This is: - easy: No config required. Works by default 100% secure. - extensible: If devs want to keep it, its easy to understand where to add new ips. - performant: Absolutely no impact on the production controller (compared with apache and filter rules) - removable: remove those 7 lines and you have removed the whole default protection - dummy safe: you can deploy it to server without looking at it and it is safe. This does NOT provide complete security against "attacks". Lets say you added your company proxy IP, a colleague not working on this project could get access to it as well. However it adds a lot of security for random attack attempts. .: Fabian -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Ian P. Christian Sent: Freitag, 16. Mai 2008 14:30 To: [email protected] Subject: [symfony-devs] RFC - securing _dev files I want to hear from you all as to what you think the best method for securing the default _dev files - I will not suggset anythign now, as I want to present a blank slate. I will implement the solution we finally agree on. Thoes that want to help please let me know. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
