Skip to content

Configuration

When installing the bundle, the Symfony Flex recipe will add a default config file to use as a starting point at config/packages/antispam.yaml. The file is yours to change according to your needs.

The bundle configuration is for the most part self-documented, and the annotated default configuration can be viewed from the Symfony console with: 

bin/console config:dump-reference antispam

Note that you can also view the resolved configuration during development: 

bin/console debug:config antispam
The fields below the antispam bundle root key are detailed below.

enabled

type: boolean default: true

Allows you to enable or disable the entire bundle. Its main purpose is to be able to disable the bundle during functional testing, where it may interfere with, or complicate, your test cases.

passive

type: boolean default: false

Default passive setting for all validators and form types of the bundle.

quarantine

When forms have been validated, they can be put in quarantine for analysis and logging purposes. Quarantine also allows you to review false positives and, if only_spam is disabled, false negatives.

stealth

type: boolean default: false

Default stealth setting for all validators and form types of the bundle.

On default global and profile stealth settings

The global and profile defaults for stealth are different on purpose. The global setting is applied to validators and form types used separately, and will therefore default to acting like an actual validator, displaying the precise error in the right place. Within a profile they become part of a larger antispam measure, and are therefore stealthed, merging them together as a generic rejection message.

profiles

Keyed map of profiles to be used throughout your application. Use profiles to cater for different use cases, as you may want to apply different antispam measures to a contact form than a registration form, which may both differ from a comment section form.

Each profile supports the following options:

stealth

type: boolean default: true

By default stealth mode is enabled for all forms. Change this property to disable it specifically per profile.

passive

type: boolean default: null

You can enable or disable passive mode explicitly per form profile, or leave it at null to follow the global setting.

Default config

# Default configuration for extension with alias: "antispam"
antispam:

    # Global default for whether included components should cause hard failures
    passive:              false

    # Global default for whether included components issue verbose or stealthy error messages
    stealth:              false

    # Allows you to globally disable all bundle functions, specifically for functional testing
    enabled:              true

    # Quarantine settings determine what to do with caught spam
    quarantine:

        # When false ham submits are also put in the quarantine, allowing you to analyze false negatives
        only_spam:            true
        file:
            dir:                  '%kernel.project_dir%/var/quarantine'
            max_days:             14

    # A named list of different profiles used throughout your application
    profiles:

        # Prototype: Name the profile
        name:

            # Defines whether measures in this profile issue stealthy error messages
            stealth:              true

            # Passive mode will not make any of the included checks actually fail validation, they will still be logged. Null inherits global setting
            passive:              null

            # Defines whether to disallow content resembling markup languages like HTML and BBCode
            banned_markup:
                html:                 true
                bbcode:               true

            # Simple array of phrases which are rejected when encountered in a submitted text field
            banned_phrases:
                phrases:              []

            # Banned script types, like Cyrillic or Arabic (see docs for commonly used ISO 15924 names)
            banned_scripts:
                scripts:              []
                max_characters:       null
                max_percentage:       0

            # Inject an invisible honeypot field in forms, baiting spambots to fill it in
            honeypot:

                # Base name of the injected field
                field:                ~ # Required
                attributes:

                    # Prototype
                    name:                 ~

            # Verify that time between retrieval and submission of a form is within human boundaries
            timer:

                # Base name of the injected field
                field:                _validation
                min:                  3
                max:                  3600

            # Configure limits to number of URLs permitted in text fields
            url_count:

                # Maximum number of URLs accepted per text field
                max:                  null

                # Maximum number of identical URLs accepted per text field
                max_identical:        null