nelmio_security: clickjacking: paths: '^/.*': DENY content_type: nosniff: true referrer_policy: enabled: true policies: - 'no-referrer' - 'strict-origin-when-cross-origin' csp: enforce: level1_fallback: false browser_adaptive: enabled: false report-uri: '%router.request_context.base_url%/my-csp-report' frame-ancestors: - 'self' frame-src: - 'self' - 'https://stripe.com' - 'https://*.stripe.com' - 'https://js.stripe.com' - 'https://cloudflare.com' - 'https://*.cloudflareinsights.com' - 'https://challenges.cloudflare.com' script-src: - 'self' - 'https://static.cloudflareinsights.com' - 'https://challenges.cloudflare.com' - 'https://cdn.jsdelivr.net' - 'unsafe-inline' style-src: - 'self' - 'https://fonts.googleapis.com' - 'https://cdnjs.cloudflare.com' - 'https://cdn.jsdelivr.net' - 'unsafe-inline' img-src: - 'self' - 'data:' - 'https://*.tile.openstreetmap.org' - 'https://*.basemaps.cartocdn.com' - 'https://cdn.jsdelivr.net' worker-src: - 'self' - 'blob:' connect-src: - 'self' - 'https://cloudflareinsights.com' - 'https://static.cloudflareinsights.com' - 'https://tools-security.esy-web.dev' - 'https://challenges.cloudflare.com' - 'https://nominatim.openstreetmap.org' - 'https://cdn.jsdelivr.net' font-src: - 'self' - 'https://cdnjs.cloudflare.com' - 'https://fonts.googleapis.com' - 'https://fonts.gstatic.com' object-src: - 'none' form-action: - 'self' - 'https://auth.esy-web.dev' block-all-mixed-content: true permissions_policy: enabled: true policies: payment: ['self'] camera: ['self'] microphone: [] geolocation: ['self'] external_redirects: override: /external-redirect forward_as: redirUrl log: true allow_list: - cloudflareinsights.com - static.cloudflareinsights.com - stripe.com - connect.stripe.com - checkout.stripe.com - hooks.stripe.com - dashboard.stripe.com - auth.esy-web.dev - challenges.cloudflare.com