gallery/netlify.toml at main · TradeTrust/gallery · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[[redirects]]
  from = "/*"
  to = "/index.html"
  status = 200

[[headers]]
  for = "/*"
  [headers.values]
    # CORS configuration for TradeTrust integration
    Access-Control-Allow-Origin = "https://ref.tradetrust.io"

    # Clickjacking protection
    X-Frame-Options = "DENY"

    # Content Security Policy - Comprehensive XSS and injection protection
    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com; frame-src https://app.netlify.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"

    # Permissions Policy - Browser feature access control
    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=(), bluetooth=(), magnetometer=(), gyroscope=(), accelerometer=(), autoplay=(), encrypted-media=(), fullscreen=(self), picture-in-picture=()"

    # Cross-origin protection (CORP + COOP for Spectre mitigation)
    Cross-Origin-Resource-Policy = "same-origin"
    Cross-Origin-Opener-Policy = "same-origin"
    # Cross-Origin-Embedder-Policy omitted - compatibility with Netlify deployment tools

    # Additional security headers
    X-Content-Type-Options = "nosniff"
    Strict-Transport-Security = "max-age=31536000; includeSubDomains"
    Referrer-Policy = "strict-origin-when-cross-origin"