[SecurityCenter] Set additional security headers #3712

Guite · 2017-07-26T06:45:37Z

Set X-Content-Type-Options by default to nosniff.
Set X-XSS-Protection by default to 1; mode=block instead of 1.
Set Content-Security-Policy to a restrictive value (depends on Remove all remaining inline JS and CSS #3711).
Make all configurable similar as X-Frame-Options (see ClickjackProtectionListener).
https://content-security-policy.com/
https://dev.to/jszutkowski/applying-content-security-policy-in-symfony-to-reduce-xss-risks-5a4l

The text was updated successfully, but these errors were encountered:

Guite added the Feature label Jul 26, 2017

Guite added this to the 2.1.0 milestone Jul 26, 2017

Guite self-assigned this Jul 26, 2017

Guite removed their assignment Sep 5, 2017

Guite modified the milestones: 2.1.0, 3.0.0, 4.0.0 Nov 2, 2018

Guite added a commit that referenced this issue Jun 1, 2020

remove commented code refs #3712

e4d061b

Guite changed the title ~~Set additional security headers~~ [SecurityCenter] Set additional security headers Jul 15, 2020

Guite mentioned this issue May 21, 2023

[SecurityCenter] consider https://github.com/nelmio/NelmioSecurityBundle #3646

Open

Provide feedback