diff --git a/book/security.rst b/book/security.rst
index a2fea0592b9..07310c0225f 100644
--- a/book/security.rst
+++ b/book/security.rst
@@ -181,6 +181,11 @@ firewall is activated does *not* mean, however, that the HTTP authentication
username and password box is displayed for every URL. For example, any user
can access ``/foo`` without being prompted to authenticate.
+.. tip::
+
+ You can also match a request against other details of the request (e.g. host, method). For more
+ information and examples read :doc:`/cookbook/security/firewall_restriction`.
+
.. image:: /images/book/security_anonymous_user_access.png
:align: center
@@ -2139,7 +2144,7 @@ Learn more from the Cookbook
* :doc:`Blacklist users by IP address with a custom voter `
* :doc:`Access Control Lists (ACLs) `
* :doc:`/cookbook/security/remember_me`
-* :doc:`How to Restrict Firewalls to a Specific Host `
+* :doc:`How to Restrict Firewalls to a Specific Request `
.. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle
.. _`implement the \Serializable interface`: http://php.net/manual/en/class.serializable.php
diff --git a/cookbook/map.rst.inc b/cookbook/map.rst.inc
index 6c23641e2e3..dd9295c9515 100644
--- a/cookbook/map.rst.inc
+++ b/cookbook/map.rst.inc
@@ -138,7 +138,7 @@
* :doc:`/cookbook/security/acl`
* :doc:`/cookbook/security/acl_advanced`
* :doc:`/cookbook/security/force_https`
- * :doc:`/cookbook/security/host_restriction`
+ * :doc:`/cookbook/security/firewall_restriction`
* :doc:`/cookbook/security/form_login`
* :doc:`/cookbook/security/securing_services`
* :doc:`/cookbook/security/custom_provider`
diff --git a/cookbook/security/firewall_restriction.rst b/cookbook/security/firewall_restriction.rst
new file mode 100644
index 00000000000..db3568e5f2b
--- /dev/null
+++ b/cookbook/security/firewall_restriction.rst
@@ -0,0 +1,193 @@
+.. index::
+ single: Security; Restrict Security Firewalls to a Request
+
+How to Restrict Firewalls to a Specific Request
+===============================================
+
+When using the Security component, you can create firewalls that match certain request options.
+In most cases, matching against the URL is sufficient, but in special cases you can further
+restrict the initialization of a firewall against other options of the request.
+
+.. note::
+
+ You can use any of these restrictions individually or mix them together to get
+ your desired firewall configuration.
+
+Restricting by Pattern
+----------------------
+
+This is the default restriction and restricts a firewall to only be initialized if the request URL
+matches the configured ``pattern``.
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # app/config/security.yml
+
+ # ...
+ security:
+ firewalls:
+ secured_area:
+ pattern: ^/admin
+ # ...
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+
+ // ...
+ $container->loadFromExtension('security', array(
+ 'firewalls' => array(
+ 'secured_area' => array(
+ 'pattern' => '^/admin',
+ // ...
+ ),
+ ),
+ ));
+
+The ``pattern`` is a regular expression. In this example, the firewall will only be
+activated if the URL starts (due to the ``^`` regex character) with ``/admin`. If
+the URL does not match this pattern, the firewall will not be activated and subsequent
+firewalls will have the opportunity to be matched for this request.
+
+Restricting by Host
+-------------------
+
+.. versionadded:: 2.4
+ Support for restricting security firewalls to a specific host was introduced in
+ Symfony 2.4.
+
+If matching against the ``pattern`` only is not enough, the request can also be matched against
+``host``. When the configuration option ``host`` is set, the firewall will be restricted to
+only initialize if the host from the request matches against the configuration.
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # app/config/security.yml
+
+ # ...
+ security:
+ firewalls:
+ secured_area:
+ host: ^admin\.example\.com$
+ # ...
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+
+ // ...
+ $container->loadFromExtension('security', array(
+ 'firewalls' => array(
+ 'secured_area' => array(
+ 'host' => '^admin\.example\.com$',
+ // ...
+ ),
+ ),
+ ));
+
+The ``host`` (like the ``pattern``) is a regular expression. In this example,
+the firewall will only be activated if the host is equal exactly (due to
+the ``^`` and ``$`` regex characters) to the hostname ``admin.example.com``.
+If the hostname does not match this pattern, the firewall will not be activated
+and subsequent firewalls will have the opportunity to be matched for this
+request.
+
+Restricting by HTTP Methods
+---------------------------
+
+.. versionadded:: 2.5
+ Support for restricting security firewalls to specific HTTP methods was introduced in
+ Symfony 2.5.
+
+The configuration option ``methods`` restricts the initialization of the firewall to
+the provided HTTP methods.
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # app/config/security.yml
+
+ # ...
+ security:
+ firewalls:
+ secured_area:
+ methods: [GET, POST]
+ # ...
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // app/config/security.php
+
+ // ...
+ $container->loadFromExtension('security', array(
+ 'firewalls' => array(
+ 'secured_area' => array(
+ 'methods' => array('GET', 'POST'),
+ // ...
+ ),
+ ),
+ ));
+
+In this example, the firewall will only be activated if the HTTP method of the
+request is either ``GET`` or ``POST``. If the method is not in the array of the
+allowed methods, the firewall will not be activated and subsequent firewalls will again
+have the opportunity to be matched for this request.
diff --git a/cookbook/security/host_restriction.rst b/cookbook/security/host_restriction.rst
index b5b2e529d95..0ee0d334e30 100644
--- a/cookbook/security/host_restriction.rst
+++ b/cookbook/security/host_restriction.rst
@@ -1,70 +1,6 @@
-.. index::
- single: Security; Restrict Security Firewalls to a Host
-
How to Restrict Firewalls to a Specific Host
============================================
-.. versionadded:: 2.4
- Support for restricting security firewalls to a specific host was introduced in
- Symfony 2.4.
-
-When using the Security component, you can create firewalls that match certain
-URL patterns and therefore are activated for all pages whose URL matches
-that pattern. Additionally, you can restrict the initialization of a firewall
-to a host using the ``host`` key:
-
-.. configuration-block::
-
- .. code-block:: yaml
-
- # app/config/security.yml
-
- # ...
-
- security:
- firewalls:
- secured_area:
- pattern: ^/
- host: ^admin\.example\.com$
- http_basic: true
-
- .. code-block:: xml
-
-
-
-
-
-
-
-
-
-
-
-
-
- .. code-block:: php
-
- // app/config/security.php
-
- // ...
-
- $container->loadFromExtension('security', array(
- 'firewalls' => array(
- 'secured_area' => array(
- 'pattern' => '^/',
- 'host' => '^admin\.example\.com$',
- 'http_basic' => true,
- ),
- ),
- ));
-
-The ``host`` (like the ``pattern``) is a regular expression. In this example,
-the firewall will only be activated if the host is equal exactly (due to
-the ``^`` and ``$`` regex characters) to the hostname ``admin.example.com``.
-If the hostname does not match this pattern, the firewall will not be activated
-and subsequent firewalls will have the opportunity to be matched for this
-request.
+As of Symfony 2.5, more possibilities to restrict firewalls have been added.
+You can read everything about all the possibilities (including ``host``)
+in ":doc:`/cookbook/security/firewall_restriction`".
diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst
index accbbd97cbd..a5a643d334c 100644
--- a/reference/configuration/security.rst
+++ b/reference/configuration/security.rst
@@ -17,6 +17,10 @@ Each part will be explained in the next section.
Support for restricting security firewalls to a specific host was introduced in
Symfony 2.4.
+.. versionadded:: 2.5
+ Support for restricting security firewalls to specific http methods was introduced in
+ Symfony 2.5.
+
.. configuration-block::
.. code-block:: yaml
@@ -104,6 +108,8 @@ Each part will be explained in the next section.
pattern: .*
# restrict the firewall to a specific host
host: admin\.example\.com
+ # restrict the firewall to specific http methods
+ methods: [GET, POST]
request_matcher: some.service.id
access_denied_url: /foo/error403
access_denied_handler: some.service.id