✨ feat(sécurité): Améliore la configuration CSP et Permissions-Policy pour plus de contrôle.

ansible/templates/caddy.j2

@@ -13,7 +13,6 @@ intranet.ludikevent.fr, signature.ludikevent.fr {
     # --- BLOC HEADER AVEC CSP ---
     header {
         X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
-        Permissions-Policy "accelerometer=(), autoplay=(), camera=(), clipboard-write=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), usb=(), vr=(), screen-wake-lock=(), xr-spatial-tracking=(), bluetooth=(), ambient-light-sensor=(), battery=(), gamepad=(), notifications=(), push=()"
         X-Content-Type-Options "nosniff"
         X-Frame-Options "DENY"
         Referrer-Policy "strict-origin-when-cross-origin"

config/packages/nelmio_security.yaml

@@ -1,5 +1,19 @@
 nelmio_security:
     # Content Security Policy (CSP)
+    referrer_policy:
+        enabled: true
+        policies:
+            - 'strict-origin-when-cross-origin'
+    permissions_policy:
+        enabled: true
+        policies:
+            camera: [self]         # Correct : sans les guillemets simples internes
+            microphone: [self]     # Correct
+            geolocation: [self]    # Correct
+            fullscreen: [self]     # Correct
+            payment: [self]        # Correct
+            # Si tu veux bloquer une fonction pour tout le monde :
+            usb: []
     csp:
         enforce:
             default-src: ["'self'"]
@@ -10,6 +24,7 @@ nelmio_security:
                 - "https://chat.esy-web.dev"
                 - "https://auth.esy-web.dev"
                 - "https://static.cloudflareinsights.com"
+                - "https://challenges.cloudflare.com"
                 - "'strict-dynamic'"
             connect-src:
                 - "'self'"
@@ -17,10 +32,12 @@ nelmio_security:
                 - "https://chat.esy-web.dev"
                 - "https://auth.esy-web.dev"
                 - "https://cloudflareinsights.com"
+                - "https://challenges.cloudflare.com"
             frame-src:
                 - "'self'"
                 - "https://chat.esy-web.dev"
                 - "https://auth.esy-web.dev"
+                - "https://challenges.cloudflare.com"
             style-src:
                 - "'self'"
                 - "'unsafe-inline'"