Update src/main/java/com/example/config/SecurityConfig.java

src/main/java/com/example/config/SecurityConfig.java

@@ -34,42 +34,30 @@ public class SecurityConfig {
             .logout(logout -> logout.logoutSuccessUrl("/"))
             .oidcLogout(oidc -> oidc.backChannel(Customizer.withDefaults()))
             .headers(headers -> headers
-                // 1. Content Security Policy (Hardened)
-                .contentSecurityPolicy(csp -> csp
-                    .policyDirectives("default-src 'self'; " +
-                        "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " + 
-                        "style-src 'self' 'unsafe-inline'; " +
-                        "img-src 'self' data:; " +
-                        "connect-src 'self' " +
-                            "https://8080-firebase-auth-java-1771681085208.cluster-c36dgv2kibakqwbbbsgmia3fny.cloudworkstations.dev " +
-                            "https://4200-firebase-auth-java-1771681085208.cluster-c36dgv2kibakqwbbbsgmia3fny.cloudworkstations.dev " +
-                            "https://learnifymedhub-kc.hf.space; " +
-                        "frame-ancestors 'self' https://*.cloudworkstations.dev https://*.google.com; " +
-                        "form-action 'self';")
-                )
-                // 2. HTTP Strict Transport Security (HSTS)
-                .httpStrictTransportSecurity(hsts -> hsts
-                    .includeSubDomains(true)
-                    .preload(true)
-                    .maxAgeInSeconds(31536000) // 1 year
-                )
-                // 3. X-Content-Type-Options: nosniff
-                .contentTypeOptions(Customizer.withDefaults())
-                
-                // 4. X-Frame-Options: SAMEORIGIN
-                .frameOptions(frame -> frame.sameOrigin())
-                
-                // 5. Referrer Policy
-                .referrerPolicy(referrer -> referrer
-                    .policy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
-                )
-                
-                // 6. Permissions Policy (FIXED: Using the new permissionsPolicyHeader method)
-                .permissionsPolicyHeader(permissions -> permissions
-                    .policy("geolocation=(), microphone=(), camera=(), payment=(), usb=()")
-                )
-            );
-
-        return http.build();
-    }
-}
+              .defaultsDisabled() // Disable defaults so they don't conflict with HF proxy
+              .contentTypeOptions(Customizer.withDefaults())
+              .frameOptions(frame -> frame.sameOrigin())
+              .httpStrictTransportSecurity(hsts -> hsts
+                  .includeSubDomains(true)
+                  .maxAgeInSeconds(31536000)
+              )
+              .contentSecurityPolicy(csp -> csp
+                  .policyDirectives("default-src 'self'; " +
+                      "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " + 
+                      "style-src 'self' 'unsafe-inline'; " +
+                      "img-src 'self' data:; " +
+                      "connect-src 'self' https://learnifymedhub-kc.hf.space; " +
+                      "frame-ancestors 'self' https://huggingface.co; " + // Allow HF to frame your app
+                      "form-action 'self';")
+              )
+              .referrerPolicy(referrer -> referrer
+                  .policy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
+              )
+              .permissionsPolicyHeader(permissions -> permissions
+                  .policy("geolocation=(), microphone=(), camera=(), payment=(), usb=()")
+              )
+          );
+          
+                  return http.build();
+              }
+          }