made it clear that the profiler is for dev only

src/Symfony/Bundle/WebProfilerBundle/README.md

@@ -1,6 +1,12 @@
 WebProfilerBundle
 =================
 
+The Web profiler bundle is a **development tool** that gives detailed
+information about the execution of any request.
+
+**Never** enable it on production servers as it will lead to major security
+vulnerabilities in your project.
+
 Resources
 ---------
 

src/Symfony/Bundle/WebProfilerBundle/WebProfilerBundle.php

@@ -14,10 +14,14 @@ namespace Symfony\Bundle\WebProfilerBundle;
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 
 /**
- * Bundle.
- *
  * @author Fabien Potencier <fabien@symfony.com>
  */
 class WebProfilerBundle extends Bundle
 {
+    public function boot()
+    {
+        if ('prod' === $this->container->getParameter('kernel.environment')) {
+            @trigger_error('Using WebProfilerBundle in production is not supported and puts your project at risk, disable it.', E_USER_WARNING);
+        }
+    }
 }

src/Symfony/Component/HttpKernel/Profiler/ProfilerStorageInterface.php

@@ -14,6 +14,14 @@ namespace Symfony\Component\HttpKernel\Profiler;
 /**
  * ProfilerStorageInterface.
  *
+ * This interface exists for historical reasons. The only supported
+ * implementation is FileProfilerStorage.
+ *
+ * As the profiler must only be used on non-production servers, the file storage
+ * is more than enough and no other implementations will ever be supported.
+ *
+ * @internal since 4.2
+ *
  * @author Fabien Potencier <fabien@symfony.com>
  */
 interface ProfilerStorageInterface