From a2f128875ec7f2244ba1213ed0e9edb183e0a312 Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Fri, 21 Mar 2025 18:49:42 +0100
Subject: [PATCH 1/3] [Security]: Simplifying the DEV firewall's pattern

Page: https://symfony.com/doc/6.4/security.html#the-firewall

Reasons:
* The inner parentheses `_(profiler|wdt)` are overly complicated
* AssetMapper recommends to have all assets under `/asset/`: https://symfony.com/doc/6.4/frontend/asset_mapper.html
---
 security.rst | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/security.rst b/security.rst
index fc0cf9c9377..b70e2084da1 100644
--- a/security.rst
+++ b/security.rst
@@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc).
                 # the order in which firewalls are defined is very important, as the
                 # request will be handled by the first firewall whose pattern matches
                 dev:
-                    pattern: ^/(_(profiler|wdt)|css|images|js)/
+                    pattern: ^/(_profiler|_wdt|assets)/
                     security: false
                 # a firewall with no pattern should be defined last because it will match all requests
                 main:
@@ -529,7 +529,7 @@ will be able to authenticate (e.g. login form, API token, etc).
                 <!-- the order in which firewalls are defined is very important, as the
                      request will be handled by the first firewall whose pattern matches -->
                 <firewall name="dev"
-                    pattern="^/(_(profiler|wdt)|css|images|js)/"
+                    pattern="^/(_profiler|_wdt|assets)/"
                     security="false"/>
 
                 <!-- a firewall with no pattern should be defined last because it will match all requests -->
@@ -555,7 +555,7 @@ will be able to authenticate (e.g. login form, API token, etc).
             // the order in which firewalls are defined is very important, as the
             // request will be handled by the first firewall whose pattern matches
             $security->firewall('dev')
-                ->pattern('^/(_(profiler|wdt)|css|images|js)/')
+                ->pattern('^/(_profiler|_wdt|assets)/')
                 ->security(false)
             ;
 
@@ -598,9 +598,7 @@ don't accidentally block Symfony's dev tools - which live under URLs like
                         pattern:
                             - ^/_profiler/
                             - ^/_wdt/
-                            - ^/css/
-                            - ^/images/
-                            - ^/js/
+                            - ^/assets/
             # ...
 
         .. code-block:: php

From 00a2d478ae09c289bdde60b9e9880c59bc6d383b Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Fri, 21 Mar 2025 19:02:50 +0100
Subject: [PATCH 2/3] Update security.rst

---
 security.rst | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/security.rst b/security.rst
index b70e2084da1..a821fbff64d 100644
--- a/security.rst
+++ b/security.rst
@@ -612,9 +612,7 @@ don't accidentally block Symfony's dev tools - which live under URLs like
                     ->pattern([
                         '^/_profiler/',
                         '^/_wdt/',
-                        '^/css/',
-                        '^/images/',
-                        '^/js/',
+                        '^/assets/',
                     ])
                     ->security(false)
                 ;

From db906404bd9fc4e981cf7f8c31d82d1594dac01e Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Sun, 23 Mar 2025 11:20:42 +0100
Subject: [PATCH 3/3] Update security.rst

---
 security.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security.rst b/security.rst
index a821fbff64d..caf7b78a95c 100644
--- a/security.rst
+++ b/security.rst
@@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc).
                 # the order in which firewalls are defined is very important, as the
                 # request will be handled by the first firewall whose pattern matches
                 dev:
-                    pattern: ^/(_profiler|_wdt|assets)/
+                    pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore
                     security: false
                 # a firewall with no pattern should be defined last because it will match all requests
                 main:
@@ -529,8 +529,8 @@ will be able to authenticate (e.g. login form, API token, etc).
                 <!-- the order in which firewalls are defined is very important, as the
                      request will be handled by the first firewall whose pattern matches -->
                 <firewall name="dev"
-                    pattern="^/(_profiler|_wdt|assets)/"
-                    security="false"/>
+                    pattern="^/_profiler|_wdt|assets|build/"
+                    security="false"/> <!-- `assets` is for AssetMapper; `build` is for Webpack Encore -->
 
                 <!-- a firewall with no pattern should be defined last because it will match all requests -->
                 <firewall name="main"
@@ -555,7 +555,7 @@ will be able to authenticate (e.g. login form, API token, etc).
             // the order in which firewalls are defined is very important, as the
             // request will be handled by the first firewall whose pattern matches
             $security->firewall('dev')
-                ->pattern('^/(_profiler|_wdt|assets)/')
+                ->pattern('^/_profiler|_wdt|assets|build/') // `assets` is for AssetMapper; `build` is for Webpack Encore
                 ->security(false)
             ;