nelmio_security: # prevents framing of the entire site clickjacking: paths: '^/.*': SAMEORIGIN # disables content type sniffing for script resources content_type: nosniff: true # prevents redirections outside the website's domain external_redirects: abort: true log: true allow_list: # Whitelist the domain of the SAML IDP, so we can redirect to it during the SAML login process - '%env(string:key:host:url:SAML_IDP_SINGLE_SIGN_ON_SERVICE)%' # Whitelist the info provider APIs (OAuth redirects) - 'digikey.com' - 'nexar.com' # forces Microsoft's XSS-Protection with # its block mode xss_protection: enabled: true mode_block: true # Send a full URL in the `Referer` header when performing a same-origin request, # only send the origin of the document to secure destination (HTTPS->HTTPS), # and send no header to a less secure destination (HTTPS->HTTP). # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy, # no referrer information is sent along with requests. referrer_policy: enabled: true policies: - 'no-referrer' - 'strict-origin-when-cross-origin' csp: enabled: true hosts: [ ] content_types: [ ] enforce: level1_fallback: false browser_adaptive: enabled: false report-uri: '%router.request_context.base_url%/csp/report' default-src: - 'self' img-src: - '*' - 'data:' style-src: - 'self' - 'unsafe-inline' - 'data:' script-src: - 'self' object-src: - 'self' - 'data:' frame-src: - 'self' - 'data:' block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport when@dev: # disables the Content-Security-Policy header nelmio_security: csp: enabled: false