gnx/Hotel-Booking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5a8ca3c475bd83ba8713ef3641b08ca49ce1e2dd
Hotel-Booking/Frontend/index.html
Iliyan Angelov 62c1fe5951 updates
2025-12-01 06:50:10 +02:00

69 lines
3.6 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/vite.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<!-- SECURITY: Security headers for payment pages and general security -->
<meta http-equiv="X-Content-Type-Options" content="nosniff" />
<meta http-equiv="X-Frame-Options" content="SAMEORIGIN" />
<meta http-equiv="X-XSS-Protection" content="1; mode=block" />
<!-- SECURITY: Prevent caching of sensitive pages (payment pages should set no-cache) -->
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
<!-- SECURITY: Content Security Policy - XSS protection -->
<!--
IMPORTANT: This CSP is permissive for development compatibility.
For production, the backend MUST set strict CSP headers that override this.
Production CSP should:
- Remove 'unsafe-inline' and 'unsafe-eval' from script-src
- Use nonces or hashes for inline scripts
- Remove 'unsafe-inline' from style-src (use nonces)
- Set report-uri for violation reporting
Current CSP allows:
- unsafe-inline/unsafe-eval: Required for Vite HMR in development
- ws://localhost: Required for Vite HMR websocket
Backend should set headers like:
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{NONCE}' https://js.stripe.com ...; ...
-->
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: http: blob:; connect-src 'self' https: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:* wss: https://js.stripe.com https://hooks.stripe.com https://www.google.com; frame-src 'self' https://js.stripe.com https://hooks.stripe.com https://www.google.com; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;" />
<!-- Preconnect to external resources for faster loading -->
<link rel="preconnect" href="https://fonts.googleapis.com" />
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
<!-- Preload critical fonts -->
<link href="https://fonts.googleapis.com/css2?family=Playfair+Display:wght@400;500;600;700;800;900&family=Cormorant+Garamond:wght@300;400;500;600;700&family=Cinzel:wght@400;500;600;700&family=Poppins:wght@300;400;500;600;700&family=Inter:wght@300;400;500;600&display=swap" rel="stylesheet" />
<!-- Prevent FOUC with minimal inline styles -->
<style>
/* Prevent flash of unstyled content */
body {
margin: 0;
padding: 0;
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarell', 'Fira Sans', 'Droid Sans', 'Helvetica Neue', sans-serif;
-webkit-font-smoothing: antialiased;
-moz-osx-font-smoothing: grayscale;
background-color: #ffffff;
}
#root {
min-height: 100vh;
}
/* Loading state */
#root:empty::before {
content: '';
display: block;
width: 100%;
height: 100vh;
background-color: #ffffff;
}
</style>
<title>Luxury Hotel - Excellence Redefined</title>
</head>
<body>
<div id="root"></div>
<script type="module" src="/src/main.tsx"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink