Last active
May 4, 2021 07:16
-
-
Save relaxnow/8823564 to your computer and use it in GitHub Desktop.
Ibuildings NelmioSecurityBundle recommended configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nelmio_security: | |
| # don't use signed cookies | |
| # don't use encrypted cookies | |
| # prevent framing of the entire site | |
| clickjacking: | |
| paths: | |
| '^/.*': DENY | |
| # prevent redirections outside the website's domain | |
| external_redirects: | |
| abort: true | |
| log: true | |
| # prevents inline scripts, unsafe eval, external scripts/images/styles/frames, etc | |
| csp: | |
| report_uri: /nelmio/csp/report | |
| report_logger_service: monolog.logger.security | |
| default: [ self ] | |
| script: | |
| # JavaScript CDNs: | |
| - 'https://cdnjs.cloudflare.com' | |
| # disables content type sniffing for script resources | |
| content_type: | |
| nosniff: true | |
| # Force SSL (with HSTS), make sure SSL works before turning this on! | |
| #forced_ssl: | |
| # hsts_max_age: 2592000 # 30 days | |
| # hsts_subdomains: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nelmio_security: | |
| path: /nelmio/csp/report | |
| defaults: { _controller: nelmio_security.csp_reporter_controller:indexAction } | |
| methods: [POST] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note that I have not tried this, it will undoubtably need a lot of tweaking.
Also don't forget to turn on HSTS once you have TLS working.