webcron/config/packages/nelmio_security.yaml

nelmio_security:
    # prevents framing of the entire site
    clickjacking:
        paths:
            '^/.*': DENY

    # disables content type sniffing for script resources
    content_type:
        nosniff: true

    # forces Microsoft's XSS-Protection with
    # its block mode
    xss_protection:
        enabled: true
        mode_block: true

    # Send a full URL in the `Referer` header when performing a same-origin request,
    # only send the origin of the document to secure destination (HTTPS->HTTPS),
    # and send no header to a less secure destination (HTTPS->HTTP).
    # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
    # no referrer information is sent along with requests.
    referrer_policy:
        enabled: true
        policies:
            - 'no-referrer'
            - 'strict-origin-when-cross-origin'
    csp:
        enabled: true
        report_logger_service: logger
        hosts: []
        content_types: []
        enforce:
            # see full description below
            level1_fallback: true
            # only send directives supported by the browser, defaults to false
            # this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
            browser_adaptive:
                enabled: false
            report-uri: '%router.request_context.base_url%/nelmio/csp/report'
            default-src:
                - 'none'
            script-src:
                - 'self'
            font-src:
                - 'self'
            style-src:
                - 'self'
            img-src:
                - 'self'
                - 'data:'
            connect-src:
                - 'self'
            base-uri:
                - 'none'
            block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
            # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport
        report:
            # see full description below
            level1_fallback: true
            # only send directives supported by the browser, defaults to false
            # this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
            browser_adaptive:
                enabled: true
            report-uri: '%router.request_context.base_url%/nelmio/csp/report'
            script-src:
                - 'self'