From 81dde6fa687d147082fac991129e7d62a12b93c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sat, 7 Feb 2026 17:18:31 +0100
Subject: [PATCH] Only allow to set the DELETE method via HTTP method
 overriding

This hardens security
---
 config/packages/framework.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 6843a177..dd8f30a5 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=../../vendor/symfony/dependency-injection/Loader/schema/services.schema.json
 # see https://symfony.com/doc/current/reference/configuration/framework.html
 framework:
     secret: '%env(APP_SECRET)%'
@@ -8,6 +9,7 @@ framework:
     # Must be set to true, to enable the change of HTTP method via _method parameter, otherwise our delete routines does not work anymore
     # TODO: Rework delete routines to work without _method parameter as it is not recommended anymore (see https://github.com/symfony/symfony/issues/45278)
     http_method_override: true
+    allowed_http_method_override: ['DELETE']
 
     # Allow users to configure trusted hosts via .env variables
     # see https://symfony.com/doc/current/reference/configuration/framework.html#trusted-hosts