# Cloudflare Pages Headers Configuration for Iframe Wallet
# This file configures security headers for the iframe at auth.lumiapassport.com

/*
  # Content Security Policy - Strict security policy for iframe
  # IMPORTANT: frame-ancestors 'https:' allows embedding on any HTTPS site
  # Domain validation is performed via projectId check in JavaScript
  # connect-src whitelist: only allowed TSS servers (where the second key share is stored) and lumiapassport.com subdomains
  # script-src: Added https://telegram.org for Telegram Login Widget
  # script-src: Added 'unsafe-eval' required by Telegram Widget (uses eval for callbacks)
  # frame-src: Added https://oauth.telegram.org for Telegram OAuth iframe
  # NOTE: http://localhost:* in frame-ancestors is for development testing only
  Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' https://telegram.org https://static.sumsub.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self'; connect-src 'self' https://*.lumiapassport.com https://*.sumsub.com; frame-src https://oauth.telegram.org https://*.sumsub.com; frame-ancestors https: http://localhost:*; base-uri 'self'; form-action 'self';

  # Allow iframe embedding from HTTPS sites (domain validation in JS)
  # X-Frame-Options is NOT set (CSP frame-ancestors takes precedence)

  # Prevent MIME type sniffing
  X-Content-Type-Options: nosniff

  # Referrer policy
  Referrer-Policy: strict-origin-when-cross-origin

  # Permissions policy (camera, microphone, geolocation needed for Sumsub KYC)
  Permissions-Policy: geolocation=(self "https://*.sumsub.com"), microphone=(self "https://*.sumsub.com"), camera=(self "https://*.sumsub.com"), payment=(), usb=(), magnetometer=(), gyroscope=()

  # HSTS - Force HTTPS (uncomment for production)
  # Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  # CORS headers - Allow postMessage from any origin (we validate in JS)
  Access-Control-Allow-Origin: *
  Access-Control-Allow-Methods: GET, OPTIONS
  Access-Control-Allow-Headers: Content-Type

  # Cache control for HTML
  Cache-Control: public, max-age=0, must-revalidate

/*.js
  # Cache JavaScript files for 1 year
  Cache-Control: public, max-age=31536000, immutable

/*.css
  # Cache CSS files for 1 year
  Cache-Control: public, max-age=31536000, immutable

/*.wasm
  # Cache WASM files for 1 year
  Cache-Control: public, max-age=31536000, immutable
  Content-Type: application/wasm
