nelmio_security: # prevents framing of the entire site clickjacking: paths: '^/.*': DENY # disables content type sniffing for script resources content_type: nosniff: true # forces Microsoft's XSS-Protection with # its block mode xss_protection: enabled: true mode_block: true # Send a full URL in the `Referer` header when performing a same-origin request, # only send the origin of the document to secure destination (HTTPS->HTTPS), # and send no header to a less secure destination (HTTPS->HTTP). # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy, # no referrer information is sent along with requests. referrer_policy: enabled: true policies: - 'no-referrer' - 'strict-origin-when-cross-origin' csp: enabled: true report_logger_service: logger hosts: [] content_types: [] enforce: # see full description below level1_fallback: true # only send directives supported by the browser, defaults to false # this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97 browser_adaptive: enabled: false report-uri: '%router.request_context.base_url%/nelmio/csp/report' default-src: - 'none' script-src: - 'self' font-src: - 'self' style-src: - 'self' img-src: - 'self' - 'data:' connect-src: - 'self' base-uri: - 'none' block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport report: # see full description below level1_fallback: true # only send directives supported by the browser, defaults to false # this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97 browser_adaptive: enabled: true report-uri: '%router.request_context.base_url%/nelmio/csp/report' script-src: - 'self'