From fb3573316c2b8048529421f79e9fe3db4ab4676d Mon Sep 17 00:00:00 2001
From: mdshamoon <mohdshamoon841@gmail.com>
Date: Fri, 6 Oct 2023 11:43:30 +0530
Subject: [PATCH] security headers update

---
 static.json    | 5 ++++-
 vite.config.ts | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/static.json b/static.json
index a319d0d078..87d79f663c 100644
--- a/static.json
+++ b/static.json
@@ -7,7 +7,10 @@
   "headers": {
     "/**": {
       "X-Content-Type-Options": "nosniff",
-      "X-Frame-Options": "deny"
+      "X-XSS-Protection": "1; mode=block",
+      "X-Frame-Options": "deny",
+      "Content-Security-Policy": "default-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; script-src-elem 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com; frame-src 'self' https://www.google.com https://www.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; connect-src *;",
+      "Strict-Transport-Security": "max-age=63072000; includeSubdomains; preload"
     }
   }
 }
diff --git a/vite.config.ts b/vite.config.ts
index 8013a1d3c9..3149ab406b 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -64,7 +64,7 @@ export default ({ command, mode }: ConfigEnv): UserConfigExport => {
           'X-XSS-Protection': '1; mode=block',
           'X-Frame-Options': 'deny',
           'Content-Security-Policy':
-            "default-src 'self' data:; script-src 'self' 'unsafe-inline' blob:; script-src-elem 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com; frame-src 'self' https://www.google.com https://www.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; connect-src *;",
+            "default-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; script-src-elem 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com; frame-src 'self' https://www.google.com https://www.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; connect-src *;",
           'Strict-Transport-Security': 'max-age=63072000; includeSubdomains; preload',
         },
       },