website/config/packages/nelmio_security.yaml

53 lines
1.5 KiB
YAML

nelmio_security:
# prevents framing of the entire site
clickjacking:
paths:
'^/.*': DENY
# disables content type sniffing for script resources
content_type:
nosniff: true
# forces Microsoft's XSS-Protection with
# its block mode
xss_protection:
enabled: true
mode_block: true
forced_ssl:
hsts_max_age: 31536000 # 1 year
hsts_preload: true
hsts_subdomains: true
# Send a full URL in the `Referer` header when performing a same-origin request,
# only send the origin of the document to secure destination (HTTPS->HTTPS),
# and send no header to a less secure destination (HTTPS->HTTP).
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
# no referrer information is sent along with requests.
referrer_policy:
enabled: true
policies:
- 'same-origin'
csp:
hosts: []
content_types: []
enforce:
level1_fallback: false
browser_adaptive:
enabled: false
default-src:
- 'none'
script-src:
- 'self'
style-src:
- 'self'
img-src:
- 'self'
font-src:
- 'self'
form-action:
- 'none'
frame-ancestors:
- 'none'
block-all-mixed-content: true