Upload 10 files

server.js

@@ -50,11 +50,14 @@ const FORCE_MINIMAL = /^true$/i.test(process.env.FORCE_MINIMAL || 'false');
 
 // Middlewares
 app.use(helmet({
-  crossOriginResourcePolicy: { policy: 'cross-origin' }
+  crossOriginResourcePolicy: { policy: 'cross-origin' },
+  // Allow embedding on Hugging Face Spaces (disable X-Frame-Options)
+  frameguard: false
 }));
 
 // Enable CSP and allow inline script/style for this SPA.
 // Also allow connections to the upstream image API.
+// Allow embedding inside Hugging Face Spaces iframe via frame-ancestors
 app.use(helmet.contentSecurityPolicy({
   useDefaults: true,
   directives: {
@@ -65,10 +68,16 @@ app.use(helmet.contentSecurityPolicy({
     "font-src": ["'self'", "data:"],
     "connect-src": ["'self'", "https://image.chutes.ai"],
     "media-src": ["'self'", "data:", "blob:"],
-    "frame-ancestors": ["'self'"]
+    "frame-ancestors": ["'self'", "https://huggingface.co", "https://*.huggingface.co"]
   }
 }));
 
+// Ensure no legacy X-Frame-Options header blocks embedding
+app.use((req, res, next) => {
+  res.removeHeader('X-Frame-Options');
+  next();
+});
+
 app.use(cors());
 app.use(compression());
 app.use(express.json({ limit: '2mb' }));