49 lines
1.4 KiB
YAML
49 lines
1.4 KiB
YAML
|
nelmio_security:
|
||
|
# prevents framing of the entire site
|
||
|
clickjacking:
|
||
|
paths:
|
||
|
'^/.*': DENY
|
||
|
|
||
|
# disables content type sniffing for script resources
|
||
|
content_type:
|
||
|
nosniff: true
|
||
|
|
||
|
# forces Microsoft's XSS-Protection with
|
||
|
# its block mode
|
||
|
xss_protection:
|
||
|
enabled: true
|
||
|
mode_block: true
|
||
|
|
||
|
# Send a full URL in the `Referer` header when performing a same-origin request,
|
||
|
# only send the origin of the document to secure destination (HTTPS->HTTPS),
|
||
|
# and send no header to a less secure destination (HTTPS->HTTP).
|
||
|
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
|
||
|
# no referrer information is sent along with requests.
|
||
|
referrer_policy:
|
||
|
enabled: true
|
||
|
policies:
|
||
|
- 'same-origin'
|
||
|
|
||
|
csp:
|
||
|
hosts: []
|
||
|
content_types: []
|
||
|
enforce:
|
||
|
level1_fallback: false
|
||
|
browser_adaptive:
|
||
|
enabled: false
|
||
|
report-uri: '%router.request_context.base_url%/nelmio/csp/report'
|
||
|
default-src:
|
||
|
- 'none'
|
||
|
script-src:
|
||
|
- 'self'
|
||
|
style-src:
|
||
|
- 'self'
|
||
|
img-src:
|
||
|
- 'self'
|
||
|
font-src:
|
||
|
- 'self'
|
||
|
form-action:
|
||
|
- 'none'
|
||
|
frame-ancestors:
|
||
|
- 'none'
|
||
|
block-all-mixed-content: true
|