If your Symfony API is public-facing, weak authentication is your #1 risk. In this guide, I’ll show practical, copy-paste fixes for JWT, API keys, rate limiting, and secure defaults—plus how to quickly check your site with a Website Vulnerability Scanner online free.
Why “weak authentication” happens in Symfony
Common pitfalls I see in audits:
- Accidentally allowing
PUBLIC_ACCESSon/api/* - Long-lived tokens (no rotation, no refresh)
- Missing IP/credential throttling
- Treating API keys like passwords (no scope/expiry/rotation)
- Leaking secrets via verbose error messages or debug toolbars
Quick win: run your site through our free Website Security Scanner to baseline your posture and find low-hanging fruit.
For more deep dives, I also publish on our blog: Pentest Testing Corp →.
The “bad” (what to avoid)
# config/packages/security.yaml
# ❌ Example of weak API auth: everything under /api is effectively public
security:
enable_authenticator_manager: true
firewalls:
dev:
pattern: ^/(?:_profiler|_wdt|bundles|css|images|js)/
security: false
api:
pattern: ^/api
stateless: true
# Missing any real authenticator here… 😬
access_control:
- { path: ^/api, roles: PUBLIC_ACCESS } # ← THIS makes your API unauthenticated
The “good” (secure defaults with JWT)
1) Install and generate keys
composer require lexik/jwt-authentication-bundle
php bin/console lexik:jwt:generate-keypair
2) Configure JWT
# config/packages/lexik_jwt_authentication.yaml
lexik_jwt_authentication:
secret_key: '%kernel.project_dir%/config/jwt/private.pem'
public_key: '%kernel.project_dir%/config/jwt/public.pem'
pass_phrase: '%env(JWT_PASSPHRASE)%'
token_ttl: 3600 # 1 hour access tokens
token_extractors:
authorization_header:
enabled: true
prefix: Bearer
name: Authorization
3) Harden security.yaml
# config/packages/security.yaml
security:
enable_authenticator_manager: true
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto # chooses a modern hasher (e.g., Argon2id/BCrypt)
providers:
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(?:_profiler|_wdt|bundles|css|images|js)/
security: false
api:
pattern: ^/api
stateless: true
provider: app_user_provider
json_login:
check_path: /api/auth/login
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
# Optional: throttle login right on the firewall (Symfony 6.4+)
login_throttling:
max_attempts: 5
interval: '15 minutes'
access_control:
- { path: ^/api/auth/login, roles: PUBLIC_ACCESS }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
4) Add login route
# config/routes.yaml
api_login_check:
path: /api/auth/login
5) Use refresh tokens (rotation!)
composer require gesdinet/jwt-refresh-token-bundle
# config/packages/gesdinet_jwt_refresh_token.yaml
gesdinet_jwt_refresh_token:
ttl: 2592000 # 30 days for refresh tokens
ttl_update: true # rotate on each use
firewall: api
# config/routes.yaml
gesdinet_jwt_refresh_token:
path: /api/auth/token/refresh
// Example: calling the refresh endpoint
// POST /api/auth/token/refresh { "refresh_token": "..." }
Optional: API keys with scopes (service-to-service)
Some systems need machine-to-machine access where users aren’t involved. Use a scoped API key with expiry + rotation.
// src/Security/ApiKeyAuthenticator.php
namespace App\Security;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\CustomCredentials;
use Symfony\Component\HttpFoundation\JsonResponse;
final class ApiKeyAuthenticator extends AbstractAuthenticator
{
public function supports(Request $request): ?bool
{
return 0 === strpos($request->getPathInfo(), '/api/')
&& $request->headers->has('X-API-Key');
}
public function authenticate(Request $request): Passport
{
$apiKey = $request->headers->get('X-API-Key');
return new Passport(
new UserBadge($apiKey, function (string $key) {
// Look up ApiToken by token string, ensure not expired and scopes are valid
// return a User object (owner/service account)
return $this->tokenRepository->findActiveUserByToken($key);
}),
new CustomCredentials(function ($credentials, $user) use ($apiKey) {
// Optionally verify hash of the API key; never store raw keys
return $this->tokenVerifier->isValid($apiKey, $user);
}, $apiKey),
[new RememberMeBadge()] // has no effect in stateless, shown for completeness
);
}
public function onAuthenticationSuccess(Request $request, $token, string $firewallName)
{
return null; // allow request to continue
}
public function onAuthenticationFailure(Request $request, \Throwable $e)
{
return new JsonResponse(['message' => 'Invalid API Key'], 401);
}
}
Wire it up:
# config/packages/security.yaml (excerpt)
security:
firewalls:
api:
pattern: ^/api
stateless: true
custom_authenticators:
- App\Security\ApiKeyAuthenticator
Tips
• Store only a hash of the API key; show the raw value once.
• Attach scopes (e.g.,orders:read) and expiration.
• Rotate keys automatically and log their usage.
Rate limiting & brute-force protection
Enable the RateLimiter component for more control (beyond login throttling).
# config/packages/rate_limiter.yaml
framework:
rate_limiter:
api_ip:
policy: 'sliding_window'
limit: 100 # 100 requests
interval: '1 minute'
login:
policy: 'token_bucket'
limit: 5
rate: { interval: '1 minute', amount: 5 }
Use in a controller:
// src/Controller/AuthController.php
use Symfony\Component\RateLimiter\RateLimiterFactory;
use Symfony\Component\HttpFoundation\JsonResponse;
public function login(Request $request, RateLimiterFactory $login)
{
$limit = $login->create($request->getClientIp())->consume(1);
if (!$limit->isAccepted()) {
return new JsonResponse(['message' => 'Too many attempts'], 429);
}
// ...perform JSON login
}
Apply to all API routes via middleware:
// src/EventSubscriber/ApiRateLimitSubscriber.php
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\RateLimiter\RateLimiterFactory;
final class ApiRateLimitSubscriber implements EventSubscriberInterface
{
public function __construct(private RateLimiterFactory $api_ip) {}
public function onKernelRequest(RequestEvent $event): void
{
$req = $event->getRequest();
if (!str_starts_with($req->getPathInfo(), '/api/')) return;
$limit = $this->api_ip->create($req->getClientIp())->consume(1);
if (!$limit->isAccepted()) {
$event->setResponse(new JsonResponse(['message' => 'Too many requests'], 429));
}
}
public static function getSubscribedEvents(): array
{
return ['kernel.request' => 'onKernelRequest'];
}
}
CORS and CSRF (don’t mix them up)
- APIs are typically stateless; disable CSRF for JSON endpoints.
- Configure CORS correctly, preferably with a whitelist.
composer require nelmio/cors-bundle
# config/packages/nelmio_cors.yaml
nelmio_cors:
defaults:
allow_credentials: false
allow_origin: ['https://your-frontend.example']
allow_headers: ['Content-Type', 'Authorization']
expose_headers: ['Link']
allow_methods: ['GET','POST','PUT','DELETE','OPTIONS']
max_age: 3600
paths:
'^/api/':
allow_origin: ['https://your-frontend.example']
Short-lived tokens + refresh rotation (secure pattern)
# config/packages/lexik_jwt_authentication.yaml (excerpt)
lexik_jwt_authentication:
token_ttl: 3600 # 1 hour access tokens
# config/packages/gesdinet_jwt_refresh_token.yaml (excerpt)
gesdinet_jwt_refresh_token:
ttl: 1209600 # 14 days refresh tokens
ttl_update: true # rotate on every use (prevents replay)
Testing your protection (curl examples)
# 1) Login
curl -sX POST https://api.example.com/api/auth/login \
-H 'Content-Type: application/json' \
-d '{"email": "admin@example.com", "password": "S3cret!Pass"}'
# Response: {"token":"<JWT>"}
# 2) Call a protected endpoint
curl -s https://api.example.com/api/orders \
-H 'Authorization: Bearer <JWT>'
# 3) Refresh token
curl -sX POST https://api.example.com/api/auth/token/refresh \
-H 'Content-Type: application/json' \
-d '{"refresh_token":"<REFRESH_TOKEN>"}'
🔎 Our Free Tool screenshots
1) Website Vulnerability Scanner Screenshot
Screenshot of the free tools webpage where you can access security assessment tools.
This helps readers see how to kick off a scan in seconds.
2) Sample Vulnerability Report to check Website Vulnerability
Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.
This shows the kind of findings developers can expect after a scan.
Extra hardening checklist
- Enforce
IS_AUTHENTICATED_FULLY(not “remember me”) for all write endpoints - Prefer Argon2id or automatic hasher migration for passwords
- Separate user JWTs from service API keys; never mix scopes
- Log failed auth attempts with user agent + IP (GDPR-aware)
- Return generic error messages; detail goes to logs, not responses
- Rotate secrets & keys regularly; store them in a secret manager
- Add security tests in CI (JWT misuse, missing auth, CORS regressions)
Quick code: protect everything under /api (JWT or API key)
# config/packages/security.yaml (compact pattern)
security:
enable_authenticator_manager: true
firewalls:
api:
pattern: ^/api
stateless: true
# Choose ONE of the following authenticators:
# 1) JWT (end-user auth)
jwt: ~
# 2) Custom API key (comment the line above and uncomment below)
# custom_authenticators:
# - App\Security\ApiKeyAuthenticator
access_control:
- { path: ^/api/auth/login, roles: PUBLIC_ACCESS }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
Try it now (free)
Run a scan to catch weak authentication signals (exposed endpoints, headers, TLS issues) before attackers do:
👉 Run the free Website Security Scanner
And for deeper reading and walkthroughs:
- Blog: https://www.pentesttesting.com/blog/
- Newsletter: Subscribe on LinkedIn
Services you may need next
Managed IT Services (New)
From patching and endpoint management to identity & access hardening, we can own the “keep it running & secure” layer so your team ships features faster.
→ https://www.pentesttesting.com/managed-it-services/
AI Application Cybersecurity
If you’re shipping LLM features, secure model endpoints, API gateways, prompt injection defenses, and auth between services matter more than ever.
→ https://www.pentesttesting.com/ai-application-cybersecurity/
Offer Cybersecurity to Your Clients
Agencies & MSPs: white-label audits, DAST/SAST, and remediation playbooks you can deliver under your brand.
→ https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/
Final takeaway
Strong auth is a posture, not a plugin. With short-lived JWTs, scoped API keys, rotation, throttling, and sane defaults, your Symfony API gets both faster and safer. Save this post, ship the changes, and verify with a scan: free.pentesttesting.com.
Top comments (0)