fix: security settings

[rongquan1]

Summary by CodeRabbit

• Security
  • Enhanced security headers to prevent unauthorized iframe embedding and restrict cross-origin requests, strengthening the application's protective measures.

[netlify]

✅ Deploy Preview for tradetrust-gallery ready!

Name	Link
🔨 Latest commit	363c3b9
🔍 Latest deploy log	https://app.netlify.com/projects/tradetrust-gallery/deploys/68f730a5bcdafc0008768d97
😎 Deploy Preview	https://deploy-preview-27--tradetrust-gallery.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Walkthrough

Security headers updated in Netlify configuration. Permissive CORS header removed and replaced with X-Frame-Options and Content-Security-Policy headers to restrict frame embedding and prevent clickjacking attacks.

Changes

Cohort / File(s)	Summary
Netlify Security Headers netlify.toml	Removed Access-Control-Allow-Origin = "*" and added X-Frame-Options = "DENY" and Content-Security-Policy = "frame-ancestors 'none';" to restrict frame embedding and enforce frame-ancestors CSP directive.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A tiny hop toward safety's door,
CORS and clickjacks trouble us no more!
With frames now locked and policies tight,
The rabbit's burrow is secure tonight. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description is entirely missing. According to the description template required by this repository, a proper description should include sections for Summary, Changes, Issues, and Releases. The author has provided no description content whatsoever, leaving all required sections unfilled. This makes it impossible for reviewers to understand the background of the PR, the specific changes being made, related issues or stories, or any targeted release information. Without this context, reviewers lack essential information needed to properly evaluate the pull request.	The author should add a comprehensive pull request description following the repository template. At minimum, this should include a Summary section explaining why these security settings changes were necessary, a Changes section listing the specific modifications made to netlify.toml, an Issues section referencing any related tickets or stories, and a Releases section with the target channel and ETA. Even a brief description would significantly improve reviewability and context for future maintainers.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "fix: security settings" is directly related to the changeset. The raw summary shows that the primary changes involve replacing a permissive CORS header with security-focused headers (X-Frame-Options and Content-Security-Policy) in netlify.toml. The title accurately reflects that these are security-related fixes. While the title is somewhat generic and doesn't specify exactly which security settings were changed, it is sufficiently clear and specific to help a teammate understand that security configuration changes were made. The title follows conventional commit format and is concise without unnecessary noise.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

netlify.toml (1)

5-9: Consider additional security headers for comprehensive protection.

While the frame restriction headers are strong, you may want to consider adding other security headers for defense-in-depth:

• Strict-Transport-Security (HSTS): Forces HTTPS connections
• X-Content-Type-Options: "nosniff": Prevents MIME-sniffing attacks
• Referrer-Policy: Controls referrer information leakage

These can be added to the same [headers.values] section. This is optional and can be addressed in a follow-up if desired.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 346620f and 363c3b9.

📒 Files selected for processing (1)

• netlify.toml (1 hunks)

🔇 Additional comments (1)

netlify.toml (1)

8-9: Solid security hardening: clickjacking prevention headers added.

Both headers prevent the site from being embedded in frames, defending against clickjacking attacks. X-Frame-Options provides broader browser compatibility while CSP frame-ancestors is the modern standard. Having both is a defense-in-depth best practice.

The removal of the permissive Access-Control-Allow-Origin: "*" header is a good security posture improvement.

Please verify that your application doesn't legitimately need to be embedded in frames from trusted origins. If iframe embedding from specific origins is required, you may need to relax these headers (e.g., X-Frame-Options: "SAMEORIGIN" or CSP frame-ancestors 'self' https://trusted-origin.com).