feat: Enhance security and SEO with new headers and metadata

- Added security headers to prevent clickjacking, MIME-type sniffing, and XSS attacks. - Implemented Content Security Policy for resource management. - Included Open Graph and Twitter Card metadata for improved social media sharing. - Added structured data (JSON-LD) for better search engine visibility. - Improved accessibility with a skip link for main content navigation.
2026-01-16 23:52:43 +01:00
parent 4e0d64999e
commit aad6c3ea8a
3 changed files with 71 additions and 4 deletions
--- a/dist/includes/functions.php
+++ b/dist/includes/functions.php
@@ -3,6 +3,34 @@
 * Helper functions for HexaHost.de
 */

+// Security Headers setzen (nur wenn noch nicht gesendet)
+if (!headers_sent()) {
+    // Schutz vor Clickjacking
+    header('X-Frame-Options: DENY');
+    
+    // Schutz vor MIME-Type-Sniffing
+    header('X-Content-Type-Options: nosniff');
+    
+    // XSS-Schutz für ältere Browser
+    header('X-XSS-Protection: 1; mode=block');
+    
+    // Referrer-Policy für Privatsphäre
+    header('Referrer-Policy: strict-origin-when-cross-origin');
+    
+    // Permissions-Policy (ehemals Feature-Policy)
+    header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
+    
+    // Content-Security-Policy (angepasst für die verwendeten Ressourcen)
+    $csp = "default-src 'self'; ";
+    $csp .= "script-src 'self' 'unsafe-inline'; ";
+    $csp .= "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; ";
+    $csp .= "font-src 'self' https://fonts.gstatic.com; ";
+    $csp .= "img-src 'self' https://cdn.hexahost.de data:; ";
+    $csp .= "connect-src 'self'; ";
+    $csp .= "frame-ancestors 'none';";
+    header("Content-Security-Policy: " . $csp);
+}
+
 // Sichere Session-Konfiguration
 if (session_status() === PHP_SESSION_NONE) {
    // Session-Cookie-Sicherheit