Security is a very broad topic, and in general, it means restricting access to resources depending on who tries to access them. This chapter will not be going into the theory but will be a hands-on approach on how you can customize the security layer of Symfony to meet your needs.

Security is usually split into two parts:

In other words, authentication answers the question "Who are you?" (Luke SkyWalker) and authorization decides what you are allowed to do (for example, Use the force: yes; Pilot the Death Star: no).

We'll first go through both the topics in order, and then see a practical application of these techniques to protect an API against CSRF attacks.