diff --git a/netlify.toml b/netlify.toml
index 959f28f..f6da2b6 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -2,9 +2,28 @@
   from = "/*"
   to = "/index.html"
   status = 200
+
 [[headers]]
   for = "/*"
   [headers.values]
+    # CORS configuration for TradeTrust integration
     Access-Control-Allow-Origin = "https://ref.tradetrust.io"
+    
+    # Clickjacking protection
     X-Frame-Options = "DENY"
-    Content-Security-Policy = "frame-ancestors 'none';"
\ No newline at end of file
+    
+    # Content Security Policy - Comprehensive XSS and injection protection
+    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com; frame-src https://app.netlify.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"
+    
+    # Permissions Policy - Browser feature access control
+    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=(), bluetooth=(), magnetometer=(), gyroscope=(), accelerometer=(), autoplay=(), encrypted-media=(), fullscreen=(self), picture-in-picture=()"
+    
+    # Cross-origin protection (CORP + COOP for Spectre mitigation)
+    Cross-Origin-Resource-Policy = "same-origin"
+    Cross-Origin-Opener-Policy = "same-origin"
+    # Cross-Origin-Embedder-Policy omitted - compatibility with Netlify deployment tools
+    
+    # Additional security headers
+    X-Content-Type-Options = "nosniff"
+    Strict-Transport-Security = "max-age=31536000; includeSubDomains"
+    Referrer-Policy = "strict-origin-when-cross-origin"
\ No newline at end of file