From 529cf1dff15c7b522b93eabb7ca5e7670945f971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Wed, 3 Aug 2022 21:40:42 +0200 Subject: [PATCH] Implemented a Content-Security-Policy which disallows external and inline scripts --- config/packages/nelmio_security.yaml | 29 ++++++++++++++++++++++++++++ config/routes.yaml | 6 ++++++ 2 files changed, 35 insertions(+) diff --git a/config/packages/nelmio_security.yaml b/config/packages/nelmio_security.yaml index f9b5cd32..24e0a50d 100644 --- a/config/packages/nelmio_security.yaml +++ b/config/packages/nelmio_security.yaml @@ -29,3 +29,32 @@ nelmio_security: policies: - 'no-referrer' - 'strict-origin-when-cross-origin' + + csp: + enabled: true + hosts: [ ] + content_types: [ ] + enforce: + level1_fallback: false + browser_adaptive: + enabled: false + report-uri: '%router.request_context.base_url%/csp/report' + default-src: + - 'self' + img-src: + - '*' + - 'data:' + style-src: + - 'self' + - 'unsafe-inline' + - 'data:' + script-src: + - 'self' + object-src: + - 'self' + - 'data:' + frame-src: + - 'self' + - 'data:' + block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport + # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport diff --git a/config/routes.yaml b/config/routes.yaml index a4c96ac6..7d495d6d 100644 --- a/config/routes.yaml +++ b/config/routes.yaml @@ -8,6 +8,12 @@ scan_qr: path: /scan/{type}/{id} controller: App\Controller\ScanController:scanQRCode +csp_report: + path: /csp/report + methods: [POST] + defaults: { _controller: nelmio_security.csp_reporter_controller::indexAction } + +# Must be last as it matches everything redirector: path: /{url} requirements: