New in Symfony 7.2: Optional Secret


One of the most well-know Symfony configuration options is the secret,
which can be configured via the framework.secret option or the APP_SECRET
env var in one of the .env files processed by Symfony. Regardless of how you
configure it, this value ultimately becomes the kernel.secret parameter in
your application.
Despite its name, this option is not needed at all in new Symfony applications.
It is only relevant for optional features that you might never use, such as:

  • Login links for password-less logins;
  • Remember Me for automatic logins based on prior sessions;
  • Rate Limiter for controlling the frequency of specific actions;
  • ESI for content includes when using HTTP caching.

A long-term effort in the Symfony project was to allow creating new applications
without requiring a secret value. In Symfony 7.2, we finally achieved that goal,
so new applications now come with an empty secret by default.
To accomplish this, we did the following changes:

  • PR #56840: Updated the login links feature to allow defining a custom secret
    value for signing the links. It now relies on kernel.secret by default,
    but no longer requiring it;
  • PR #56838: Deprecated the $secret argument in Remember Me feature, as
    this secret has not been used since the feature was refactored to the new
    authentication system;
  • PR #56831: Removed the use of the secret in the Rate Limiter for hashing IP
    addresses and usernames, which is done to anonymize data;
  • PR #57462: Modified secret resolution in configuration files to happen
    lazily, avoiding issues during file processing;
  • PR #56985: If you use secrets to store sensitive information, you must
    configure a decryption key. In Symfony 7.2, this key will also serve as the
    kernel.secret when a secret is required but not defined.

With these changes, if you enable a feature that requires a secret but have not
configured one, Symfony will throw an exception with a clear message explaining
how to resolve the issue.
Finally, to improve DX (developer experience) during local development, Symfony
automatically generates a secret value for the local environment when creating a
new application. This value is stored in the .env.dev file, which is a safer
practice compared to the previous approach. Previously, the secret was generated
in the main .env, which is also used in production and could potentially be
exploited by malicious actors within the development team.

Sponsor the Symfony project.