TradeTrust · RishabhS7 · Nov 4, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 3, 2025
diff --git a/netlify.toml b/netlify.toml
@@ -1,4 +1,21 @@
 [[headers]]
   for = "/*"
   [headers.values]
-    Content-Security-Policy = "frame-ancestors *;"
+    # Clickjacking protection - ALLOW EMBEDDING (templates designed to be embedded)
+    # X-Frame-Options intentionally omitted to allow embedding
+
+    # Content Security Policy - Comprehensive XSS protection with embedding support
+    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-src https://app.netlify.com; frame-ancestors *; base-uri 'self'; form-action 'self'"
+
+    # Permissions Policy - Browser feature access control
+    Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=(), bluetooth=(), magnetometer=(), gyroscope=(), accelerometer=(), autoplay=(), encrypted-media=(), fullscreen=(self), picture-in-picture=()"
+
+    # Cross-origin protection (CORP + COOP for Spectre mitigation)
+    Cross-Origin-Resource-Policy = "same-origin"
+    Cross-Origin-Opener-Policy = "same-origin"
+    # Cross-Origin-Embedder-Policy omitted - would break embedding functionality
+
+    # Additional security headers
+    X-Content-Type-Options = "nosniff"
+    Strict-Transport-Security = "max-age=31536000; includeSubDomains"
+    Referrer-Policy = "strict-origin-when-cross-origin"
diff --git a/package.json b/package.json
@@ -21,8 +21,8 @@
     "serve-static": "http-server dist -p 3000",
     "example:application": "run-p 'build:css:application -- --watch' example:application:server",
     "example:application:server": "cross-env NODE_ENV=development webpack-dev-server --config application/webpack.config.js",
-    "integration": "testcafe chrome src/**/*.spec.ts --app \"npm run example:application\" --app-init-delay 4000",
-    "integration:headless": "testcafe chrome:headless src/**/*.spec.ts --app \"npm run example:application\" --app-init-delay 4000",
+    "integration": "testcafe 'chrome --disable-features=LocalNetworkAccessChecks' src/**/*.spec.ts --app \"npm run example:application\" --app-init-delay 4000",
+    "integration:headless": "testcafe 'chrome:headless --disable-features=LocalNetworkAccessChecks' src/**/*.spec.ts --app \"npm run example:application\" --app-init-delay 4000",
     "integration:concurrently:headless": "concurrently -k -s first \"npm:serve-static\" \"npm:integration:headless\"",
     "lint": "eslint . --ext .ts,.tsx --max-warnings 0",
     "lint:fix": "npm run lint -- --fix",