Description

Currently I see in most symfony application which use webserver supporting xsendfile that it is not used and so the files are streamed over the php process. For security I can understand that it should not be activated by default else it could leak information about the system out, but it would be good to have the possibility to control it from a environment variable so the one hosting symfony application can just activate it without relying on a developer to add or remove this call.

Example

Solution A

Set the default value of BinaryFileResponse::trustXSendfileTypeHeader() in the constructor based if a specific environment variable is set to true or not.

Solution B

Add a if statement to the public/index.php file if it is set or not (similar to trusted proxies):

$trustXSendFileTypeHeader = $_SERVER['TRUST_X_SENDFILE_TYPE_HEADER'] ?? $_ENV['TRUST_X_SENDFILE_TYPE_HEADER'] ?? false

if (filter_var($trustXSendFileTypeHeader, FILTER_VALIDATE_BOOLEAN)) {
    BinaryFileResponse::trustXSendfileTypeHeader();
}

Let me know if something like this could be added to the http-foundation component or the index.php recipe, I'm willing to work on a Pull Request for it.