nelmio_security: # prevents framing of the entire site clickjacking: paths: '^/.*': SAMEORIGIN # disables content type sniffing for script resources content_type: nosniff: true # prevents redirections outside the website's domain external_redirects: abort: true log: true # forces Microsoft's XSS-Protection with # its block mode xss_protection: enabled: true mode_block: true # Send a full URL in the `Referer` header when performing a same-origin request, # only send the origin of the document to secure destination (HTTPS->HTTPS), # and send no header to a less secure destination (HTTPS->HTTP). # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy, # no referrer information is sent along with requests. referrer_policy: enabled: true policies: - 'no-referrer' - 'strict-origin-when-cross-origin'