DEV Community


Posted on

Symfony 5: The ubiquitous of API Platform

There are various technologies and approaches to expose APIs.

Most teams would use RESTful APIs or a GraphQL endpoint depending on the goals and constraints.


The post refers to "Symfony 5" but API Platform is available for Symfony 6 too.


In the PHP world, API Platform is a very popular bundle you can quickly set with a Symfony command:

symfony composer req api
Enter fullscreen mode Exit fullscreen mode

Then, the /api route (or root ^^) should be already available.

To build your first endpoints, you will have to use specific annotations in your entities to expose specific resources on specific URLs, but the bundle speeds up devs drastically.

It's quite straighforward and, thus, interesting in terms of time and budget.

Besides, API Platform can use Swagger to provide an automated documentation system that will be synchronized with your devs, allowing your fields, entities, and other properties to be documented in an standardized way and a good UI.

It just works, but default configurations can expose too much information, and lack of access control can lead to security holes, especially when you have to manage users, create/edit capabilities, and authorization.

Implement access control

API Platform exposes pretty much everything by default, including all entities. It's easy to start, but the business logic is your responsibility.

If access should remain private, or, at least, restricted, you have to implement your custom rules:

    #[ApiProperty(security: "is_granted('ROLE_ADMIN')", securityPostDenormalize: "is_granted('UPDATE', object)")]
    private $keepItPrivate;
Enter fullscreen mode Exit fullscreen mode

Source: API Platform - core security

Behind the scene, the bundle uses the Symfony security component to restrict access.

It might seem obvious, but flaws at this level are not uncommon, which leads to security breaches.

Essential security features to consider

The bundle can activate many security mechanisms, but you'll have to implement them and use the right config:

  • Validation rules
  • API tokens
  • CORS
  • Scopes
  • Authorization & authentication
  • Access control & ownership
  • Sessions
  • Automated tests
  • Password hashing

What's the point?

API platform accepts various configurations and additional modules to build robust APIs, but it's not meant to provide security checks out of the box.

I've seen non-styled error pages, flawed or non-existent access control, and even debugging infos on production.

In terms of deadlines and features, the bundle is just awesome, but the security config is sometimes skipped or set with default rules.

It may be convenient for dev teams but also pen-testers (or threat actors).

Top comments (0)