e-ticket/config/packages/nelmio_security.yaml

nelmio_security:

    clickjacking:
        paths:
            '^/.*': DENY

    content_type:
        nosniff: true

    referrer_policy:
        enabled: true
        policies:
            - 'no-referrer'
            - 'strict-origin-when-cross-origin'

    csp:
        enforce:
            level1_fallback: false
            browser_adaptive:
                enabled: false
            report-uri: '%router.request_context.base_url%/my-csp-report'
            frame-ancestors:
                - 'self'
            frame-src:
                - 'self'
                - 'https://stripe.com'
                - 'https://*.stripe.com'
                - 'https://js.stripe.com'
                - 'https://cloudflare.com'
                - 'https://*.cloudflareinsights.com'
                - 'https://challenges.cloudflare.com'
            script-src:
                - 'self'
                - 'https://static.cloudflareinsights.com'
                - 'https://challenges.cloudflare.com'
                - 'https://cdn.jsdelivr.net'
                - 'https://js.stripe.com'
                - 'unsafe-inline'
            style-src:
                - 'self'
                - 'https://fonts.googleapis.com'
                - 'https://cdnjs.cloudflare.com'
                - 'https://cdn.jsdelivr.net'
                - 'unsafe-inline'
            img-src:
                - 'self'
                - 'data:'
                - 'https://*.tile.openstreetmap.org'
                - 'https://*.basemaps.cartocdn.com'
                - 'https://cdn.jsdelivr.net'
            worker-src:
                - 'self'
                - 'blob:'
            connect-src:
                - 'self'
                - 'https://cloudflareinsights.com'
                - 'https://static.cloudflareinsights.com'
                - 'https://tools-security.esy-web.dev'
                - 'https://challenges.cloudflare.com'
                - 'https://nominatim.openstreetmap.org'
                - 'https://cdn.jsdelivr.net'
                - 'https://api.stripe.com'
            font-src:
                - 'self'
                - 'https://cdnjs.cloudflare.com'
                - 'https://fonts.googleapis.com'
                - 'https://fonts.gstatic.com'
            object-src:
                - 'none'
            form-action:
                - 'self'
                - 'https://auth.esy-web.dev'
                - 'https://*.stripe.com'
                - 'https://checkout.stripe.com'
            block-all-mixed-content: true

    permissions_policy:
        enabled: true
        policies:
            payment: ['self']
            camera: ['self']
            microphone: []
            geolocation: ['self']

    external_redirects:
        override: /external-redirect
        forward_as: redirUrl
        log: true
        allow_list:
            - cloudflareinsights.com
            - static.cloudflareinsights.com
            - stripe.com
            - connect.stripe.com
            - checkout.stripe.com
            - hooks.stripe.com
            - dashboard.stripe.com
            - auth.esy-web.dev
            - challenges.cloudflare.com