nelmio_security: # Content Security Policy (CSP) referrer_policy: enabled: true policies: - 'strict-origin-when-cross-origin' content_type: nosniff: true clickjacking: paths: '^/.*': DENY permissions_policy: enabled: true policies: camera: [self] # Correct : sans les guillemets simples internes microphone: [self] # Correct geolocation: [self] # Correct fullscreen: [self] # Correct payment: [self] # Correct # Si tu veux bloquer une fonction pour tout le monde : usb: [] csp: hash: algorithm: 'sha256' enforce: default-src: ["'self'"] object-src: ["'none'"] base-uri: ["'self'"] worker-src: ["'self'"] script-src: - "'self'" - "nonce" - "'strict-dynamic'" - "https://sentry.esy-web.dev" - "https://chat.esy-web.dev" - "https://auth.esy-web.dev" - "https://static.cloudflareinsights.com" - "https://challenges.cloudflare.com" connect-src: - "'self'" - "https://sentry.esy-web.dev" - "https://chat.esy-web.dev" - "https://auth.esy-web.dev" - "https://cloudflareinsights.com" - "https://challenges.cloudflare.com" - "https://tools-security.esy-web.dev" - "https://checkout.stripe.com/" frame-src: - "'self'" - "https://chat.esy-web.dev" - "https://auth.esy-web.dev" - "https://challenges.cloudflare.com" style-src: - "'self'" - "'unsafe-inline'" - "https://chat.esy-web.dev" img-src: - "'self'" - "data:" - "https://chat.esy-web.dev" font-src: - "'self'" - "data:" frame-ancestors: ["'none'"] # Optionnel : forcer le passage en HTTPS upgrade-insecure-requests: true