Skip to content

Configuration

Matthew Henry edited this page Sep 1, 2020 · 4 revisions

Configuration 🗒️

Configuration of this bundle is handled by the ise_web_websecurity.yaml file found in your projects /config/packages folder.

Configuration Breakdown

Configuration allows you to specify the policies that the bundle will apply. All features have an active which decides if the feature is applied in a given context.

COOP and COEP

In the cases of coop and coep if the feature is active, then a policy must be defined. Some more detail on these policies can be found here. Policy values for each are listed below:

  • coop
    • same-site
    • same-origin
    • cross-site
    • unsafe-none
  • coep
    • require-corp
    • unsafe-none

A policy_overwrite flag will let you define a policy outside of this list, should the spec change.

coop:
    active: true
    polciy: 'same-origin'
coep: 
    active: true
    policy: 'require-corp'

Fetch Metadata

The policies available for Fetch Metadata are more broad. If no policy is specified, then the defaul policy will be used. The default policy is detailed in this article.

If using this policy, defining allowed_endpoints: [ENDPOINTS] in the configuration will add to the allowed endpoints list for the default policy.

Custom policies can be defined, provided they implement the Ise\WebSecurityBundle\Policies\FetchMetadataPolicyInterface interface. Defining a custom policy is not recommended but, should unique situations present themselves in your application or if you have a good knowledge of the Fetch Metadata feature, this interface will allow you to create a Policy of your own. In order to apply your Policy to a given path, the format of the configuration option is policy: SERVICE PATH for example. policy: Ise\WebSecurityBundle\Policies\FetchMetadataPolicy`. See an example of below

fetch_metadata:
   active: true
   policy: Ise\WebSecurityBundle\Policies\DefaultFetchMetadataPolicy
   # Allowed endpoints only applies to the default fetch metadata policy provided by the bundle
   allowed_endpoints: ['/img']

Trusted Types

Trusted types configuration allows you to specify both trusted types policies and what sinks to apply the policies to. Trusted types itself is an extension of CSP, and as a result these configuration options will be applied to the Content-Security-Policy header when active. An example of trusted types configuration is below:

trusted_types:
    active: true
    policies: ['foo', 'bar']
    require_for: ['script', 'style']

Configuration priorities.

Configuration for the bundle is handled in two stages. The defaults config, and the path config. defaults applies to every route, but, can be overwritten in the paths config. For example:

ise_web_security:
    defaults:
        coop: 
            active: true
    paths:
        '/api':
            coop:
                active: false

In the example above every unconfigured route the config coop: active: true applies. However, in the case of the /api route, then coop: active: false applies.

Presets

A number of presets exist that can be applied at any priority in the config. You can find them here

Gotcha's and considerations

Due to the priority system and preset system, a few edge cases exist in the config options.

  1. defaults needs a full config, with some exceptions every primary options has to be defined or an exception will be thrown.
  2. Presets can be overwritten at any level, but the overwrite must be complete for any given section. For example if you were to overwrite coop, you need to define the active key and policy key if you want to overwrite coop.