nelmio_security:
    # prevents framing of the entire site
    clickjacking:
        paths:
            '^/.*': DENY

    # disables content type sniffing for script resources
    content_type:
        nosniff: true

    # forces Microsoft's XSS-Protection with
    # its block mode
    xss_protection:
        enabled: true
        mode_block: true

    forced_ssl:
        hsts_max_age: 31536000 # 1 year
        hsts_preload: true
        hsts_subdomains: true

    # Send a full URL in the `Referer` header when performing a same-origin request,
    # only send the origin of the document to secure destination (HTTPS->HTTPS),
    # and send no header to a less secure destination (HTTPS->HTTP).
    # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
    # no referrer information is sent along with requests.
    referrer_policy:
        enabled: true
        policies:
            - 'same-origin'

    csp:
        hosts: []
        content_types: []
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            default-src:
                - 'none'
            script-src:
                - 'self'
            style-src:
                - 'self'
            img-src:
                - 'self'
            font-src:
                - 'self'
            connect-src:
                - 'self'
            form-action:
                - 'none'
            frame-ancestors:
                - 'none'
            block-all-mixed-content: true

when@dev:
    nelmio_security:
        csp:
            enforce:
                default-src:
                    - 'self'