# Security Headers Configuration for eutopspin24.games
# These headers should be configured in your hosting provider's settings
# or in a _headers file for Netlify or similar platforms.

# ============================================
# Recommended Security Headers
# ============================================

# HTTP Strict Transport Security (HSTS)
# Forces HTTPS connections for 1 year including subdomains
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# Content Security Policy (CSP)
# Controls which resources can be loaded
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; frame-ancestors 'self';

# X-Frame-Options
# Prevents clickjacking by controlling iframe embedding
# Note: frame-ancestors in CSP above is the modern approach
X-Frame-Options: SAMEORIGIN

# X-Content-Type-Options
# Prevents MIME type sniffing
X-Content-Type-Options: nosniff

# Referrer Policy
# Controls how much referrer information is sent
Referrer-Policy: strict-origin-when-cross-origin

# Permissions Policy (formerly Feature Policy)
# Controls browser features
Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()

# X-XSS-Protection
# Legacy XSS protection (mostly for older browsers)
X-XSS-Protection: 1; mode=block

# ============================================
# Netlify _headers file format
# ============================================
#
# /*
#   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
#   Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; frame-ancestors 'self';
#   X-Frame-Options: SAMEORIGIN
#   X-Content-Type-Options: nosniff
#   Referrer-Policy: strict-origin-when-cross-origin
#   Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
#   X-XSS-Protection: 1; mode=block