website/config/packages/nelmio_security.yaml
Jeroen De Meerleer 60de619080
Add 'connect-src' directive to Content Security Policy
This commit adds the 'connect-src' directive to the Content Security Policy in the nelmio_security.yaml file. This allows connections only to the same origin ('self').
2024-02-07 17:22:05 +01:00

62 lines
1.6 KiB
YAML

nelmio_security:
# prevents framing of the entire site
clickjacking:
paths:
'^/.*': DENY
# disables content type sniffing for script resources
content_type:
nosniff: true
# forces Microsoft's XSS-Protection with
# its block mode
xss_protection:
enabled: true
mode_block: true
forced_ssl:
hsts_max_age: 31536000 # 1 year
hsts_preload: true
hsts_subdomains: true
# Send a full URL in the `Referer` header when performing a same-origin request,
# only send the origin of the document to secure destination (HTTPS->HTTPS),
# and send no header to a less secure destination (HTTPS->HTTP).
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
# no referrer information is sent along with requests.
referrer_policy:
enabled: true
policies:
- 'same-origin'
csp:
hosts: []
content_types: []
enforce:
level1_fallback: false
browser_adaptive:
enabled: false
default-src:
- 'none'
script-src:
- 'self'
style-src:
- 'self'
img-src:
- 'self'
font-src:
- 'self'
connect-src:
- 'self'
form-action:
- 'none'
frame-ancestors:
- 'none'
block-all-mixed-content: true
when@dev:
nelmio_security:
csp:
enforce:
default-src:
- 'self'