config/packages/nelmio_security.yaml

nelmio_security:

    clickjacking:
        paths:
            '^/.*': DENY

    content_type:
        nosniff: true

    referrer_policy:
        enabled: true
        policies:
            - 'no-referrer'
            - 'strict-origin-when-cross-origin'

    csp:
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            report-uri: '%router.request_context.base_url%/my-csp-report'
            frame-ancestors:
                - 'self'
            frame-src:
                - 'self'
                - 'https://stripe.com'
                - 'https://*.stripe.com'
                - 'https://js.stripe.com'
                - 'https://cloudflare.com'
                - 'https://*.cloudflareinsights.com'
                - 'https://challenges.cloudflare.com'
            script-src:
                - 'self'
                - 'https://static.cloudflareinsights.com'
                - 'https://challenges.cloudflare.com'
                - 'https://cdn.jsdelivr.net'
                - 'https://js.stripe.com'
                - 'unsafe-inline'
            style-src:
                - 'self'
                - 'https://fonts.googleapis.com'
                - 'https://cdnjs.cloudflare.com'
                - 'https://cdn.jsdelivr.net'
                - 'unsafe-inline'
            img-src:
                - 'self'
                - 'data:'
                - 'https://*.tile.openstreetmap.org'
                - 'https://*.basemaps.cartocdn.com'
                - 'https://cdn.jsdelivr.net'
            worker-src:
                - 'self'
                - 'blob:'
            connect-src:
                - 'self'
                - 'https://cloudflareinsights.com'
                - 'https://static.cloudflareinsights.com'
                - 'https://challenges.cloudflare.com'
                - 'https://nominatim.openstreetmap.org'
                - 'https://cdn.jsdelivr.net'
                - 'https://api.stripe.com'
            font-src:
                - 'self'
                - 'https://cdnjs.cloudflare.com'
                - 'https://fonts.googleapis.com'
                - 'https://fonts.gstatic.com'
            object-src:
                - 'none'
            form-action:
                - 'self'
                - 'https://auth.esy-web.dev'
                - 'https://*.stripe.com'
                - 'https://checkout.stripe.com'
            block-all-mixed-content: true

    permissions_policy:
        enabled: true
        policies:
            payment: ['self']
            camera: ['self']
            microphone: []
            geolocation: ['self']

    external_redirects:
        override: /external-redirect
        forward_as: redirUrl
        log: true
        allow_list:
            - cloudflareinsights.com
            - static.cloudflareinsights.com
            - stripe.com
            - connect.stripe.com
            - checkout.stripe.com
            - hooks.stripe.com
            - dashboard.stripe.com
            - auth.esy-web.dev
            - challenges.cloudflare.com
init 2026-04-01 15:42:52 +02:00			`nelmio_security:`

			`clickjacking:`
			`paths:`
			`'^/.*': DENY`

			`content_type:`
			`nosniff: true`

			`referrer_policy:`
			`enabled: true`
			`policies:`
			`- 'no-referrer'`
			`- 'strict-origin-when-cross-origin'`

			`csp:`
			`enforce:`
			`level1_fallback: false`
			`browser_adaptive:`
			`enabled: false`
			`report-uri: '%router.request_context.base_url%/my-csp-report'`
			`frame-ancestors:`
			`- 'self'`
			`frame-src:`
			`- 'self'`
			`- 'https://stripe.com'`
			`- 'https://*.stripe.com'`
			`- 'https://js.stripe.com'`
			`- 'https://cloudflare.com'`
			`- 'https://*.cloudflareinsights.com'`
			`- 'https://challenges.cloudflare.com'`
			`script-src:`
			`- 'self'`
			`- 'https://static.cloudflareinsights.com'`
			`- 'https://challenges.cloudflare.com'`
			`- 'https://cdn.jsdelivr.net'`
			`- 'https://js.stripe.com'`
			`- 'unsafe-inline'`
			`style-src:`
			`- 'self'`
			`- 'https://fonts.googleapis.com'`
			`- 'https://cdnjs.cloudflare.com'`
			`- 'https://cdn.jsdelivr.net'`
			`- 'unsafe-inline'`
			`img-src:`
			`- 'self'`
			`- 'data:'`
			`- 'https://*.tile.openstreetmap.org'`
			`- 'https://*.basemaps.cartocdn.com'`
			`- 'https://cdn.jsdelivr.net'`
			`worker-src:`
			`- 'self'`
			`- 'blob:'`
			`connect-src:`
			`- 'self'`
			`- 'https://cloudflareinsights.com'`
			`- 'https://static.cloudflareinsights.com'`
			`- 'https://challenges.cloudflare.com'`
			`- 'https://nominatim.openstreetmap.org'`
			`- 'https://cdn.jsdelivr.net'`
			`- 'https://api.stripe.com'`
			`font-src:`
			`- 'self'`
			`- 'https://cdnjs.cloudflare.com'`
			`- 'https://fonts.googleapis.com'`
			`- 'https://fonts.gstatic.com'`
			`object-src:`
			`- 'none'`
			`form-action:`
			`- 'self'`
			`- 'https://auth.esy-web.dev'`
			`- 'https://*.stripe.com'`
			`- 'https://checkout.stripe.com'`
			`block-all-mixed-content: true`

			`permissions_policy:`
			`enabled: true`
			`policies:`
			`payment: ['self']`
			`camera: ['self']`
			`microphone: []`
			`geolocation: ['self']`

			`external_redirects:`
			`override: /external-redirect`
			`forward_as: redirUrl`
			`log: true`
			`allow_list:`
			`- cloudflareinsights.com`
			`- static.cloudflareinsights.com`
			`- stripe.com`
			`- connect.stripe.com`
			`- checkout.stripe.com`
			`- hooks.stripe.com`
			`- dashboard.stripe.com`
			`- auth.esy-web.dev`
			`- challenges.cloudflare.com`