diff --git a/.env b/.env
index be38e1c6ca..243d5d9137 100644
--- a/.env
+++ b/.env
@@ -71,7 +71,7 @@
 # - "pullAssets"
 # - "recordsActions"
 # - "subdefCreation"
-# - "subtitle"
+# - "subtitle" Not working (fixed in a future version)
 # - "validationReminder"
 # - "webhook"
 # - "writeMetadatas"
@@ -90,7 +90,7 @@
 # - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml:docker-compose.override.yml
 # - COMPOSE_PROFILES=app,setup,db,pma,elasticsearch,redis,redis-session,rabbitmq,workers,mailhog,builder,gateway-classic
 #
-# For testing with debug:
+# For testing with tools:
 # - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml
 # - COMPOSE_PROFILES=app,setup,db,pma,elasticsearch,rabbitmq,redis,redis-session,worker,workers,mailhog,gateway-classic
 #
@@ -106,7 +106,7 @@
 # - COMPOSE_FILE=docker-compose.yml:docker-compose.datastores.yml:docker-compose.tools.yml
 # - COMPOSE_PROFILES=app,setup,gateway-classic,db,elasticsearch,redis,redis-session,rabbitmq,pma,mailhog,assetsInjest,createRecord,deleteRecord,editRecord,
 #                    exportMail,exposeUpload,exportFtp,mainQueue,populateIndex,pullAssets,recordsActions,subdefCreation,
-#                    subtitle,validationReminder,webhook,writeMetadatas,shareBasket,scheduler,elk,db-backup,phraseanet-saml-sp
+#                    validationReminder,webhook,writeMetadatas,shareBasket,scheduler,elk,db-backup,phraseanet-saml-sp
 #
 
 
@@ -133,7 +133,7 @@ PHRASEANET_DOCKER_REGISTRY=local
 
 # Docker images tag.
 # @run
-PHRASEANET_DOCKER_TAG=4.1.8-rc5
+PHRASEANET_DOCKER_TAG=4.1.8-rc6
 
 # Stack Name
 # An optionnal Name for the stack
@@ -194,6 +194,11 @@ GATEWAY_USERS=
 # @run
 GATEWAY_FASTCGI_HTTPS=off
 
+# Content Security Policy (CSP)
+# security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting
+## @run 
+GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com data: ; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com  data: blob: ; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com ; img-src 'self'  data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com https://www.gnu.org/graphics/ ; object-src 'self'; frame-ancestors 'self'"
+
 # --- RabbitMQ settings ------------------------------------------------------------------------------------------------
 
 # RabbitMQ user account : create an account in RabbitMQ container and use it
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d27a7ecc46..48a2ecca3d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,36 @@
 # CHANGELOG
 
+## 4.1.8-rc6
+
+### Update instructions
+
+- Migration patch: no patch to play, just run upgrade for bump version 
+- Elasticsearch index action : a "drop", "create", "populate" of elasticsearch index can be useful.
+
+### Version summary
+  
+ - Improvement and bugfix
+
+### Stack (docker compose)
+
+ - PHP setting improvement 
+ - FPM setting improvement 
+ 
+## What's Changed
+* PHRAS-3893 prod - advanced search - control calendar missing for created_on and updated_on by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4360
+* PHRAS-3785 update composer dependencies for imagine by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4362
+* PHRAS-3252 Prod - Export - The captions are not being sent when doing an export by email by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4363
+* PHRAS-3387 php fpm optimization by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4364
+* PHRAS-3890: Admin - add "auth failure" - display and purge auth failure - only for super U by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4368
+* PHRAS-3903 Admin - object inspector - record index debug tools by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4369
+* PHRAS-3904 Add server port on fastcgi - SAML multi provider support https conf by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4370
+* PHRAS-3889 Worker - metadata write - mime/type whitelist - write metadatas only on whitelisted files by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4366
+* PHRAS-3910 fix redis php extension build by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4373
+
+
+**Full Changelog**: https://github.com/alchemy-fr/Phraseanet/compare/4.1.8-rc5...4.1.8-rc6
+
+
 ## 4.1.8-rc5
 
 ### Update instructions
diff --git a/Dockerfile b/Dockerfile
index 9e3a8d22d9..88347698af 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -126,7 +126,7 @@ RUN echo "BUILDING PHP PECL EXTENTIONS" \
     && docker-php-ext-install php-ext-jq \
     # --- end of extension jq \
     && pecl install \
-        redis \
+        redis-5.3.7 \
         amqp-1.9.3 \
         zmq-beta \
         imagick-beta \
diff --git a/docker-compose.yml b/docker-compose.yml
index 894e20dea3..991fb0c4bb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -35,6 +35,7 @@ services:
     - GATEWAY_ALLOWED_IPS                      
     - GATEWAY_DENIED_IPS 
     - GATEWAY_USERS
+    - GATEWAY_CSP
     ports:
       - ${PHRASEANET_APP_PORT}:80
     networks:
@@ -68,6 +69,7 @@ services:
     - GATEWAY_DENIED_IPS
     - GATEWAY_USERS
     - GATEWAY_FASTCGI_HTTPS
+    - GATEWAY_CSP
     networks:
       - internal
     labels:
@@ -470,6 +472,7 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
+    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -524,6 +527,7 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
+    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -685,6 +689,7 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
+    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -792,6 +797,7 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
+    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -845,6 +851,7 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
+    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -1009,6 +1016,7 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
+    - PHP_CLI_MEMORY_LIMIT
     - LC_MESSAGES=C.UTF-8
     - LC_COLLATE=C.UTF-8
     - LC_IDENTIFICATION=C.UTF-8
@@ -1053,7 +1061,7 @@ services:
         - SSH_PRIVATE_KEY=${PHRASEANET_SSH_PRIVATE_KEY}
         - PHRASEANET_PLUGINS=${PHRASEANET_PLUGINS}
     image: $PHRASEANET_DOCKER_REGISTRY/phraseanet-worker:$PHRASEANET_DOCKER_TAG
-    profiles: ["workers", "subtitle"]
+    profiles: ["subtitle"]
     restart: on-failure
     depends_on:
     - phraseanet
diff --git a/docker/nginx/root/entrypoint.sh b/docker/nginx/root/entrypoint.sh
index d38a2548ea..a002bb9112 100755
--- a/docker/nginx/root/entrypoint.sh
+++ b/docker/nginx/root/entrypoint.sh
@@ -25,6 +25,16 @@ else
   GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;fastcgi_param SERVER_PORT 443;"
 fi
 
+if [ ! -z "$GATEWAY_CSP" ]; then
+  echo "Content Security policies is defined to : $GATEWAY_CSP"
+  envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
+else
+  echo "Content Security policies is defined"
+  export GATEWAY_CSP="default-src 'self' 127.0.0.1 https://apiws.carrick-skills.com:8443 https://apiws.carrick-flow.com:8443 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com data: ; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com  data: blob: ; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com ; img-src 'self'  data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com https://apiws.carrick-flow.com:8443 https://apiws.carrick-skills.com:8443  https://maxcdn.bootstrapcdn.com https://www.gnu.org/graphics/ ; object-src 'self'; frame-ancestors 'self'"
+  echo "setting Security policies to : " $GATEWAY_CSP
+  envsubst < "/securitycontentpolicies.sample.conf" > /etc/nginx/conf.d/securitycontentpolicies.conf
+fi
+
 cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g"  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g"  | sed "s/\$NEW_TARGET/$NEW_TARGET/g"  | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" > /etc/nginx/conf.d/default.conf
 cat /fastcgi_timeout.conf  | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" > /etc/nginx/fastcgi_extended_params
 
diff --git a/docker/nginx/root/etc/nginx/nginx.conf b/docker/nginx/root/etc/nginx/nginx.conf
index 0ac38c03a0..1e02a4dd77 100755
--- a/docker/nginx/root/etc/nginx/nginx.conf
+++ b/docker/nginx/root/etc/nginx/nginx.conf
@@ -11,6 +11,7 @@ events {
 
 http {
     include       /etc/nginx/mime.types;
+
     default_type  application/octet-stream;
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
@@ -23,13 +24,6 @@ http {
     #tcp_nopush     on;
     server_tokens off;
     #gzip  on;
-    ## Security headers for Nginx ##
-    add_header Strict-Transport-Security "max-age=15768000" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Xss-Protection "1; mode=block" always;
-    add_header Referrer-Policy  strict-origin-when-cross-origin;
-    add_header Content-Security-Policy  "default-src 'self' 127.0.0.1 https://fonts.gstatic.com *.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com *.axept.io *.matomo.cloud *.newrelic.com *.nr-data.net https://www.googletagmanager.com *.google-analytics.com *.phrasea.io data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com *.alchemyasp.com *.axept.io *.matomo.cloud *.newrelic.com https://www.googletagmanager.com ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com ;img-src 'self' data: blob: *.tiles.mapbox.com https://axeptio.imgix.net *.cloudfront.net *.phrasea.io *.amazonaws.com ; object-src 'self';frame-ancestors 'self' ";
     include /etc/nginx/conf.d/*.conf;
 
 }
\ No newline at end of file
diff --git a/docker/nginx/root/securitycontentpolicies.sample.conf b/docker/nginx/root/securitycontentpolicies.sample.conf
new file mode 100644
index 0000000000..bc66cd886b
--- /dev/null
+++ b/docker/nginx/root/securitycontentpolicies.sample.conf
@@ -0,0 +1,7 @@
+    ## Security headers for Nginx ##
+    add_header Strict-Transport-Security "max-age=15768000" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header Referrer-Policy  strict-origin-when-cross-origin;
+    add_header Content-Security-Policy  "$GATEWAY_CSP";
\ No newline at end of file
diff --git a/lib/Alchemy/Phrasea/Core/Version.php b/lib/Alchemy/Phrasea/Core/Version.php
index eab14c1789..ed7b9b1805 100644
--- a/lib/Alchemy/Phrasea/Core/Version.php
+++ b/lib/Alchemy/Phrasea/Core/Version.php
@@ -17,7 +17,7 @@ class Version
      * @var string
      */
 
-    private $number = '4.1.8-rc5';
+    private $number = '4.1.8-rc6';
 
     /**
      * @var string
diff --git a/lib/Alchemy/Phrasea/WorkerManager/Subscriber/RecordSubscriber.php b/lib/Alchemy/Phrasea/WorkerManager/Subscriber/RecordSubscriber.php
index 92b6133856..781cb550a4 100644
--- a/lib/Alchemy/Phrasea/WorkerManager/Subscriber/RecordSubscriber.php
+++ b/lib/Alchemy/Phrasea/WorkerManager/Subscriber/RecordSubscriber.php
@@ -154,6 +154,7 @@ public function onRecordsWriteMeta(RecordsWriteMetaEvent $event)
     {
         $databoxId = $event->getDataboxId();
         $recordIds = $event->getRecordIds();
+        $acceptedMimeTypes = $this->app['conf']->get(['workers', 'writeMetadatas', 'acceptedMimeType'], []);
 
         foreach ($recordIds as $recordId) {
             $mediaSubdefRepository = $this->getMediaSubdefRepository($databoxId);
@@ -173,7 +174,13 @@ public function onRecordsWriteMeta(RecordsWriteMetaEvent $event)
 
             foreach ($mediaSubdefs as $subdef) {
                 // check subdefmetadatarequired  from the subview setup in admin
-                if (($subdef->get_name() == 'document' && $toWritemetaOriginalDocument) || $this->isSubdefMetadataUpdateRequired($databox, $type, $subdef->get_name())) {
+                // check if we want to write meta in this mime type
+                if (in_array(trim($subdef->get_mime()), $acceptedMimeTypes) &&
+                    (
+                        ($subdef->get_name() == 'document' && $toWritemetaOriginalDocument) ||
+                        $this->isSubdefMetadataUpdateRequired($databox, $type, $subdef->get_name())
+                    )
+                ) {
                     $payload = [
                         'message_type' => MessagePublisher::WRITE_METADATAS_TYPE,
                         'payload' => [
@@ -182,7 +189,6 @@ public function onRecordsWriteMeta(RecordsWriteMetaEvent $event)
                             'subdefName'  => $subdef->get_name()
                         ]
                     ];
-
                     if ($subdef->is_physically_present()) {
                         $this->messagePublisher->publishMessage($payload, MessagePublisher::WRITE_METADATAS_TYPE);
                     }
@@ -273,6 +279,8 @@ public function onSubdefinitionWritemeta(SubdefinitionWritemetaEvent $event)
 
         }
         else {
+            $acceptedMimeTypes = $this->app['conf']->get(['workers', 'writeMetadatas', 'acceptedMimeType'], []);
+
             $databoxId = $event->getRecord()->getDataboxId();
             $recordId = $event->getRecord()->getRecordId();
 
@@ -291,7 +299,13 @@ public function onSubdefinitionWritemeta(SubdefinitionWritemetaEvent $event)
             }
 
             //  only the required writemetadata from admin > subview setup is to be writing
-            if (($subdef->get_name() == 'document' && $toWritemetaOriginalDocument) || $this->isSubdefMetadataUpdateRequired($databox, $type, $subdef->get_name())) {
+            //  check if we want to write meta in this mime type
+            if (in_array($subdef->get_mime(), $acceptedMimeTypes) &&
+                (
+                    ($subdef->get_name() == 'document' && $toWritemetaOriginalDocument) ||
+                    $this->isSubdefMetadataUpdateRequired($databox, $type, $subdef->get_name())
+                )
+            ) {
                 $payload = [
                     'message_type' => MessagePublisher::WRITE_METADATAS_TYPE,
                     'payload' => [
diff --git a/lib/classes/patch/418RC6.php b/lib/classes/patch/418RC6.php
new file mode 100644
index 0000000000..3b4aff11d3
--- /dev/null
+++ b/lib/classes/patch/418RC6.php
@@ -0,0 +1,87 @@
+<?php
+
+use Alchemy\Phrasea\Application;
+use Alchemy\Phrasea\Core\Configuration\PropertyAccess;
+
+class patch_418RC6 implements patchInterface
+{
+    /** @var string */
+    private $release = '4.1.8-rc6';
+
+    /** @var array */
+    private $concern = [base::APPLICATION_BOX];
+
+    /**
+     * {@inheritdoc}
+     */
+    public function get_release()
+    {
+        return $this->release;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getDoctrineMigrations()
+    {
+        return [];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function require_all_upgrades()
+    {
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function concern()
+    {
+        return $this->concern;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function apply(base $base, Application $app)
+    {
+        if ($base->get_base_type() === base::DATA_BOX) {
+            $this->patch_databox($base, $app);
+        } elseif ($base->get_base_type() === base::APPLICATION_BOX) {
+            $this->patch_appbox($base, $app);
+        }
+
+        return true;
+    }
+
+    private function patch_databox(databox $databox, Application $app)
+    {
+    }
+
+    private function patch_appbox(base $appbox, Application $app)
+    {
+        /** @var PropertyAccess $conf */
+        $conf = $app['conf'];
+
+        // PHRAS-3889
+        if (!$conf->has(['workers', 'writeMetadatas', 'acceptedMimeType'])) {
+            $defaultAcceptedMimeType = [
+                'image/jpeg',
+                'image/png',
+                'application/postscript',
+                'application/pdf',
+                'image/tiff'
+            ];
+
+            $conf->set(['workers', 'writeMetadatas', 'acceptedMimeType'], $defaultAcceptedMimeType);
+        }
+
+        // PHRAS-3896
+        if ($conf->get(['main', 'search-engine', 'options', 'populate_order']) != 'RECORD_ID') {
+            $conf->set(['main', 'search-engine', 'options', 'populate_order'], 'RECORD_ID');
+        }
+    }
+}
diff --git a/lib/conf.d/configuration.yml b/lib/conf.d/configuration.yml
index 282e693441..dab5d447e5 100644
--- a/lib/conf.d/configuration.yml
+++ b/lib/conf.d/configuration.yml
@@ -416,6 +416,13 @@ workers:
             max_retry: 3
             ttl_retry: 10000
             ttl_delayed: 5000
+    writeMetadatas:
+        acceptedMimeType:
+            - image/jpeg
+            - image/png
+            - application/postscript
+            - application/pdf
+            - image/tiff
 externalservice:
     ginger:
         AutoSubtitling:
diff --git a/templates/mobile/common/matomo_analytics.html.twig b/templates/mobile/common/matomo_analytics.html.twig
index 5c1e3251ac..a44d0308a8 100644
--- a/templates/mobile/common/matomo_analytics.html.twig
+++ b/templates/mobile/common/matomo_analytics.html.twig
@@ -6,7 +6,7 @@
         _paq.push(['trackPageView']);
         _paq.push(['enableLinkTracking']);
         (function() {
-            var u="//{{ app['conf'].get(['registry', 'general', 'matomo-analytics-url']) }}/";
+            var u="{{ app['conf'].get(['registry', 'general', 'matomo-analytics-url']) }}/";
             _paq.push(['setTrackerUrl', u+'matomo.php']);
             _paq.push(['setSiteId',  {{ app['conf'].get(['registry', 'general', 'matomo-analytics-id']) }}]);
             var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];