66 lines
2.5 KiB
YAML
66 lines
2.5 KiB
YAML
nelmio_security:
|
|
# prevents framing of the entire site
|
|
clickjacking:
|
|
paths:
|
|
'^/.*': DENY
|
|
|
|
# disables content type sniffing for script resources
|
|
content_type:
|
|
nosniff: true
|
|
|
|
# forces Microsoft's XSS-Protection with
|
|
# its block mode
|
|
xss_protection:
|
|
enabled: true
|
|
mode_block: true
|
|
|
|
# Send a full URL in the `Referer` header when performing a same-origin request,
|
|
# only send the origin of the document to secure destination (HTTPS->HTTPS),
|
|
# and send no header to a less secure destination (HTTPS->HTTP).
|
|
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
|
|
# no referrer information is sent along with requests.
|
|
referrer_policy:
|
|
enabled: true
|
|
policies:
|
|
- 'no-referrer'
|
|
- 'strict-origin-when-cross-origin'
|
|
csp:
|
|
enabled: true
|
|
report_logger_service: logger
|
|
hosts: []
|
|
content_types: []
|
|
enforce:
|
|
# see full description below
|
|
level1_fallback: true
|
|
# only send directives supported by the browser, defaults to false
|
|
# this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
|
|
browser_adaptive:
|
|
enabled: false
|
|
report-uri: '%router.request_context.base_url%/nelmio/csp/report'
|
|
default-src:
|
|
- 'none'
|
|
script-src:
|
|
- 'self'
|
|
font-src:
|
|
- 'self'
|
|
style-src:
|
|
- 'self'
|
|
img-src:
|
|
- 'self'
|
|
- 'data:'
|
|
connect-src:
|
|
- 'self'
|
|
base-uri:
|
|
- 'none'
|
|
block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
|
|
# upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport
|
|
report:
|
|
# see full description below
|
|
level1_fallback: true
|
|
# only send directives supported by the browser, defaults to false
|
|
# this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
|
|
browser_adaptive:
|
|
enabled: true
|
|
report-uri: '%router.request_context.base_url%/nelmio/csp/report'
|
|
script-src:
|
|
- 'self' |