TradeTrust · RishabhS7 · Nov 4, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 3, 2025
diff --git a/netlify.toml b/netlify.toml
@@ -1,4 +1,21 @@
 [[headers]]
   for = "/*"
   [headers.values]
-    Content-Security-Policy = "frame-ancestors *;"
+    # Clickjacking protection - ALLOW EMBEDDING (templates designed to be embedded)
+    # X-Frame-Options intentionally omitted to allow embedding
+
+    # Content Security Policy - Comprehensive XSS protection with embedding support
+    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: https:; connect-src 'self'; frame-ancestors *; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"
+
+    # Permissions Policy - Browser feature access control
+    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=(), bluetooth=(), magnetometer=(), gyroscope=(), accelerometer=(), autoplay=(), encrypted-media=(), fullscreen=(self), picture-in-picture=()"
+
+    # Cross-origin protection (CORP + COOP for Spectre mitigation)
+    Cross-Origin-Resource-Policy = "cross-origin"
+    Cross-Origin-Opener-Policy = "unsafe-none"
+    # Cross-Origin-Embedder-Policy omitted - would break embedding functionality
+
+    # Additional security headers
+    X-Content-Type-Options = "nosniff"
+    Strict-Transport-Security = "max-age=31536000; includeSubDomains"
+    Referrer-Policy = "strict-origin-when-cross-origin"