From 8e4d10b9b5c0e13d7a6ce3209ff39600f8472f8a Mon Sep 17 00:00:00 2001
From: rongquan1 <rongquan.low@gmail.com>
Date: Wed, 29 Oct 2025 14:52:07 +0800
Subject: [PATCH 1/4] fix: security headers

---
 netlify.toml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/netlify.toml b/netlify.toml
index 959f28f..6f97eb2 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -2,9 +2,29 @@
   from = "/*"
   to = "/index.html"
   status = 200
+
 [[headers]]
   for = "/*"
   [headers.values]
+    # CORS configuration for TradeTrust integration
     Access-Control-Allow-Origin = "https://ref.tradetrust.io"
+    
+    # Clickjacking protection
     X-Frame-Options = "DENY"
-    Content-Security-Policy = "frame-ancestors 'none';"
\ No newline at end of file
+    
+    # Content Security Policy - Comprehensive XSS and injection protection
+    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"
+    
+    # Permissions Policy - Browser feature access control
+    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=(), bluetooth=(), magnetometer=(), gyroscope=(), accelerometer=(), autoplay=(), encrypted-media=(), fullscreen=(self), picture-in-picture=()"
+    
+    # Cross-origin protection (CORP + COOP for Spectre mitigation)
+    Cross-Origin-Resource-Policy = "same-origin"
+    Cross-Origin-Opener-Policy = "same-origin"
+    # Cross-Origin-Embedder-Policy omitted - compatibility with Netlify deployment tools
+    
+    # Additional security headers
+    X-Content-Type-Options = "nosniff"
+    X-Permitted-Cross-Domain-Policies = "none"
+    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
+    Referrer-Policy = "strict-origin-when-cross-origin"
\ No newline at end of file

From cd44d6f96d447a62525d9ad365a55340742abbe4 Mon Sep 17 00:00:00 2001
From: rongquan1 <rongquan.low@gmail.com>
Date: Wed, 29 Oct 2025 14:54:52 +0800
Subject: [PATCH 2/4] fix: update

---
 netlify.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/netlify.toml b/netlify.toml
index 6f97eb2..5dc0a68 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -13,7 +13,7 @@
     X-Frame-Options = "DENY"
     
     # Content Security Policy - Comprehensive XSS and injection protection
-    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"
+    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com; frame-src https://app.netlify.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"
     
     # Permissions Policy - Browser feature access control
     Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=(), bluetooth=(), magnetometer=(), gyroscope=(), accelerometer=(), autoplay=(), encrypted-media=(), fullscreen=(self), picture-in-picture=()"

From 87d9f90941a1ee12e8ef4e1692cc6703aa062946 Mon Sep 17 00:00:00 2001
From: rongquan1 <rongquan.low@gmail.com>
Date: Mon, 3 Nov 2025 10:01:59 +0800
Subject: [PATCH 3/4] fix: update

---
 netlify.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/netlify.toml b/netlify.toml
index 5dc0a68..ed65971 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -26,5 +26,5 @@
     # Additional security headers
     X-Content-Type-Options = "nosniff"
     X-Permitted-Cross-Domain-Policies = "none"
-    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
+    Strict-Transport-Security = "max-age=31536000; includeSubDomains"
     Referrer-Policy = "strict-origin-when-cross-origin"
\ No newline at end of file

From 5a0ff7d6cc4f941723d7beb001ad5ee8e8f30b1f Mon Sep 17 00:00:00 2001
From: rongquan1 <rongquan.low@gmail.com>
Date: Mon, 3 Nov 2025 10:03:19 +0800
Subject: [PATCH 4/4] fix: update

---
 netlify.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/netlify.toml b/netlify.toml
index ed65971..f6da2b6 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -25,6 +25,5 @@
     
     # Additional security headers
     X-Content-Type-Options = "nosniff"
-    X-Permitted-Cross-Domain-Policies = "none"
     Strict-Transport-Security = "max-age=31536000; includeSubDomains"
     Referrer-Policy = "strict-origin-when-cross-origin"
\ No newline at end of file