mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-21 17:39:06 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implemented a Content-Security-Policy which disallows external and inline scripts

Browse source
This commit is contained in:
Jan Böhmer 2022-08-03 21:40:42 +02:00
parent 89d64b7565
commit 529cf1dff1
2 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
config/packages/nelmio_security.yaml
View file

@ -29,3 +29,32 @@ nelmio_security:
policies: policies:
- 'no-referrer' - 'no-referrer'
- 'strict-origin-when-cross-origin' - 'strict-origin-when-cross-origin'
csp:
enabled: true
hosts: [ ]
content_types: [ ]
enforce:
level1_fallback: false
browser_adaptive:
enabled: false
report-uri: '%router.request_context.base_url%/csp/report'
default-src:
- 'self'
img-src:
- '*'
- 'data:'
style-src:
- 'self'
- 'unsafe-inline'
- 'data:'
script-src:
- 'self'
object-src:
- 'self'
- 'data:'
frame-src:
- 'self'
- 'data:'
block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
# upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport

6
config/routes.yaml
View file

@ -8,6 +8,12 @@ scan_qr:
path: /scan/{type}/{id} path: /scan/{type}/{id}
controller: App\Controller\ScanController:scanQRCode controller: App\Controller\ScanController:scanQRCode
csp_report:
path: /csp/report
methods: [POST]
defaults: { _controller: nelmio_security.csp_reporter_controller::indexAction }
# Must be last as it matches everything
redirector: redirector:
path: /{url} path: /{url}
requirements: requirements: