2023-07-06 09:42:42 +02:00
|
|
|
nelmio_security:
|
|
|
|
# prevents framing of the entire site
|
|
|
|
clickjacking:
|
|
|
|
paths:
|
|
|
|
'^/.*': DENY
|
|
|
|
|
|
|
|
# disables content type sniffing for script resources
|
|
|
|
content_type:
|
|
|
|
nosniff: true
|
|
|
|
|
|
|
|
# forces Microsoft's XSS-Protection with
|
|
|
|
# its block mode
|
|
|
|
xss_protection:
|
|
|
|
enabled: true
|
|
|
|
mode_block: true
|
|
|
|
|
2023-08-04 14:27:37 +02:00
|
|
|
forced_ssl:
|
|
|
|
hsts_max_age: 31536000 # 1 year
|
|
|
|
hsts_preload: true
|
|
|
|
hsts_subdomains: true
|
|
|
|
|
2023-07-06 09:42:42 +02:00
|
|
|
# Send a full URL in the `Referer` header when performing a same-origin request,
|
|
|
|
# only send the origin of the document to secure destination (HTTPS->HTTPS),
|
|
|
|
# and send no header to a less secure destination (HTTPS->HTTP).
|
|
|
|
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
|
|
|
|
# no referrer information is sent along with requests.
|
|
|
|
referrer_policy:
|
|
|
|
enabled: true
|
|
|
|
policies:
|
|
|
|
- 'same-origin'
|
|
|
|
|
|
|
|
csp:
|
|
|
|
hosts: []
|
|
|
|
content_types: []
|
|
|
|
enforce:
|
|
|
|
level1_fallback: false
|
|
|
|
browser_adaptive:
|
|
|
|
enabled: false
|
|
|
|
default-src:
|
|
|
|
- 'none'
|
|
|
|
script-src:
|
|
|
|
- 'self'
|
|
|
|
style-src:
|
|
|
|
- 'self'
|
|
|
|
img-src:
|
|
|
|
- 'self'
|
|
|
|
font-src:
|
|
|
|
- 'self'
|
|
|
|
form-action:
|
|
|
|
- 'none'
|
|
|
|
frame-ancestors:
|
|
|
|
- 'none'
|
2023-12-07 12:05:21 +01:00
|
|
|
block-all-mixed-content: true
|
|
|
|
|
|
|
|
when@dev:
|
|
|
|
nelmio_security:
|
|
|
|
csp:
|
|
|
|
enforce:
|
|
|
|
default-src:
|
|
|
|
- 'self'
|