sajad torkamani

Symfony: Firewalls

3 January 2026 (Updated 3 January 2026)
On this page
What is a firewall in Symfony?
What’s the difference between firewalls and access control?
Stateful vs stateless firewalls

What is a firewall in Symfony?

In Symfony, a firewall is a configuration-driven security layer that intercepts incoming HTTP requests, authenticates users and prepares the security context for authorization decisions via the access control configuration..

Every incoming HTTP request goes through a firewall (the first one that matches) so you can use firewalls to protect certain routes in your application.

You can define your firewalls in security.yaml. Here’s an example firewall:

security:
  firewalls:
    main:
      pattern: ^/
      lazy: true
      provider: app_user_provider
      form_login:
        login_path: login
        check_path: login
      logout:
        path: logout

The above config means:

  • Any request matching the route /^ will use the main firewall.
  • Requests in this firewall must authenticate using a login form.

What’s the difference between firewalls and access control?

In Symfony, firewalls are responsible for authentication – determining who the user is.

Access controls are responsible for authorization – determining what the user can access.

Stateful vs stateless firewalls

A stateful firewall uses HTTP cookies to authenticate users and is typically used for web apps.

A stateless firewall uses mechanisms like JWTs, API tokens, and OAuth to authenticate users. Each HTTP request is authenticated. Stateless firewalls are typically used for APIs.

Tagged: Symfony