[Security] Document the new expose_security_errors option

javiereguiluz · javiereguiluz · commit 1fddced3160b · 2025-05-29T07:56:42.000+02:00
diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst
@@ -23,7 +23,7 @@ key in your application configuration.
 
 * `access_denied_url`_
 * `erase_credentials`_
-* `hide_user_not_found`_
+* `expose_security_errors`_
 * `session_fixation_strategy`_
 
 **Advanced Options**:
@@ -71,11 +71,38 @@ after authentication::
    Since Symfony 7.3, ``eraseCredentials()`` methods are deprecated and are
    not called if they have the ``#[\Deprecated]`` attribute.
 
+expose_security_errors
+----------------------
+
+**type**: ``string`` **default**: ``'none'``
+
+.. deprecated:: 7.3
+
+    The ``expose_security_errors`` option was introduced in Symfony 7.3
+
+User enumeration is a common security issue where attackers infer valid usernames
+based on error messages. For example, a message like "This user does not exist"
+shown by your login form reveals whether a username is valid.
+
+This options lets you hide some/all errors related to user accounts (e.g. blocked
+or expired accounts) to avoid this issue. Instead, these errors will return a
+generic ``BadCredentialsException``. The value of this option can be any of:
+
+* ``'none'``: hides all user-related security exceptions;
+* ``'account_status'``: shows account-related exceptions (e.g. blocked or expired
+  accounts) but only for users who provided the correct password;
+* ``'all'``: shows all security-related exceptions.
+
 hide_user_not_found
 -------------------
 
 **type**: ``boolean`` **default**: ``true``
 
+.. deprecated:: 7.3
+
+    The ``hide_user_not_found`` option was deprecated in favor of the
+    ``expose_security_errors`` option in Symfony 7.3.
+
 If ``true``, when a user is not found a generic exception of type
 :class:`Symfony\\Component\\Security\\Core\\Exception\\BadCredentialsException`
 is thrown with the message "Bad credentials".
