admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6438afadbf35b41798cdfc62f1bdc9959be4f6b7
e-ticket/config/packages/nelmio_security.yaml
Serreau Jovann 6438afadbf Add first-party analytics tracker with encrypted transmissions 
Core system:
- AnalyticsUniqId entity (visitor identity with device/os/browser parsing)
- AnalyticsEvent entity (page views linked to visitor)
- POST /t endpoint with AES-256-GCM encrypted payloads
- HMAC-SHA256 visitor hash for anti-tampering
- Async processing via Messenger
- JS module: auto page_view tracking, setAuth for logged users
- Encryption key shared via data-k attribute on body
- setAuth only triggers when cookie consent is accepted
- Clean CSP: remove old tracker domains (Cloudflare, Umami)

100% first-party, no cookies, invisible to adblockers, RGPD-friendly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:07 +01:00

91 lines
2.7 KiB
YAML
Raw Blame History

nelmio_security:
clickjacking:
paths:
'^/.*': DENY
content_type:
nosniff: true
referrer_policy:
enabled: true
policies:
- 'no-referrer'
- 'strict-origin-when-cross-origin'
csp:
enforce:
level1_fallback: false
browser_adaptive:
enabled: false
report-uri: '%router.request_context.base_url%/my-csp-report'
frame-ancestors:
- 'self'
frame-src:
- 'self'
- 'https://stripe.com'
- 'https://*.stripe.com'
- 'https://js.stripe.com'
- 'https://challenges.cloudflare.com'
script-src:
- 'self'
- 'https://challenges.cloudflare.com'
- 'https://cdn.jsdelivr.net'
- 'https://js.stripe.com'
- 'unsafe-inline'
style-src:
- 'self'
- 'https://fonts.googleapis.com'
- 'https://cdnjs.cloudflare.com'
- 'https://cdn.jsdelivr.net'
- 'unsafe-inline'
img-src:
- 'self'
- 'data:'
- 'https://*.tile.openstreetmap.org'
- 'https://*.basemaps.cartocdn.com'
- 'https://cdn.jsdelivr.net'
worker-src:
- 'self'
- 'blob:'
connect-src:
- 'self'
- 'https://challenges.cloudflare.com'
- 'https://nominatim.openstreetmap.org'
- 'https://cdn.jsdelivr.net'
- 'https://api.stripe.com'
font-src:
- 'self'
- 'https://cdnjs.cloudflare.com'
- 'https://fonts.googleapis.com'
- 'https://fonts.gstatic.com'
object-src:
- 'none'
form-action:
- 'self'
- 'https://auth.esy-web.dev'
- 'https://*.stripe.com'
- 'https://checkout.stripe.com'
block-all-mixed-content: true
permissions_policy:
enabled: true
policies:
payment: ['self']
camera: ['self']
microphone: []
geolocation: ['self']
external_redirects:
override: /external-redirect
forward_as: redirUrl
log: true
allow_list:
- stripe.com
- connect.stripe.com
- checkout.stripe.com
- hooks.stripe.com
- dashboard.stripe.com
- auth.esy-web.dev
- challenges.cloudflare.com
Reference in New Issue View Git Blame Copy Permalink