Part-DB.Part-DB-server/config/packages/nelmio_security.yaml

nelmio_security:
    # prevents framing of the entire site
    clickjacking:
        paths:
            '^/.*': SAMEORIGIN

    # disables content type sniffing for script resources
    content_type:
        nosniff: true

    # prevents redirections outside the website's domain
    external_redirects:
        abort: true
        log: true
        allow_list:
            # Whitelist the domain of the SAML IDP, so we can redirect to it during the SAML login process
            - '%env(string:key:host:url:SAML_IDP_SINGLE_SIGN_ON_SERVICE)%'

            # Whitelist the info provider APIs (OAuth redirects)
            - 'digikey.com'
            - 'nexar.com'

    # forces Microsoft's XSS-Protection with
    # its block mode
    xss_protection:
        enabled: true
        mode_block: true

    # Send a full URL in the `Referer` header when performing a same-origin request,
    # only send the origin of the document to secure destination (HTTPS->HTTPS),
    # and send no header to a less secure destination (HTTPS->HTTP).
    # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
    # no referrer information is sent along with requests.
    referrer_policy:
        enabled: true
        policies:
            - 'no-referrer'
            - 'strict-origin-when-cross-origin'

    csp:
        enabled: true
        hosts: [ ]
        content_types: [ ]
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            report-uri: '%router.request_context.base_url%/csp/report'
            default-src:
                - 'self'
            img-src:
                - '*'
                - 'data:'
            style-src:
                - 'self'
                - 'unsafe-inline'
                - 'data:'
            script-src:
                - 'self'
            object-src:
                - 'self'
                - 'data:'
            frame-src:
                - 'self'
                - 'data:'
            block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
            # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport

when@dev:
    # disables the Content-Security-Policy header
    nelmio_security:
        csp:
            enabled: false