6438afadbf
Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
21 lines
734 B
YAML
21 lines
734 B
YAML
nelmio_security:
|
|
csp:
|
|
enforce:
|
|
script-src:
|
|
- 'self'
|
|
- 'nonce'
|
|
|
|
# Restreindre les soumissions de formulaires à notre domaine
|
|
# et aux redirections OAuth des plateformes de partage social
|
|
form-action:
|
|
- 'self'
|
|
- 'https://www.facebook.com'
|
|
- 'https://x.com'
|
|
- 'https://twitter.com'
|
|
|
|
# Autoriser navigator.share() (Web Share API) et clipboard API
|
|
# — les deux sont des APIs navigateur natives, pas des appels réseau externes
|
|
# Ce bloc est présent pour documentation et futures intégrations
|
|
connect-src:
|
|
- 'self'
|