Enhance security and configuration of contact form: Added Content Security Policy and Strict-Transport-Security headers in .htaccess for improved security. Updated error handling to use a single 404.php for various error codes. Removed deprecated config.php and composer.json files, and implemented IP address detection for better security. Added honeypot field for bot protection in contact form and improved session security settings in functions.php.

2026-01-13 23:04:05 +01:00
parent a1b303edde
commit 2df47dc461
14 changed files with 233 additions and 12 deletions
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -8,6 +8,12 @@
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
+    
+    # Content Security Policy - Schutz vor XSS und Code-Injection
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+    
+    # Strict-Transport-Security (HSTS) - Erzwingt HTTPS
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 </IfModule>

 # HTTPS erzwingen (falls SSL verfügbar)
@@ -48,6 +54,16 @@
    Deny from all
 </Files>

+# Config-Verzeichnis schützen
+<IfModule mod_rewrite.c>
+    RewriteRule ^config/ - [F,L]
+</IfModule>
+
+# Includes-Verzeichnis schützen (direkter Zugriff verhindern)
+<IfModule mod_rewrite.c>
+    RewriteRule ^includes/ - [F,L]
+</IfModule>
+
 # Logs-Verzeichnis schützen
 <IfModule mod_rewrite.c>
    RewriteRule ^logs/ - [F,L]
@@ -95,14 +111,25 @@
 </IfModule>

 # Fehlerbehandlung
-ErrorDocument 404 /404.html
-ErrorDocument 500 /500.html
+ErrorDocument 400 /404.php
+ErrorDocument 401 /404.php
+ErrorDocument 403 /404.php
+ErrorDocument 404 /404.php
+ErrorDocument 500 /500.php
+ErrorDocument 502 /500.php
+ErrorDocument 503 /500.php

 # Verzeichnis-Listing deaktivieren
 Options -Indexes

 # Datei-Zugriff beschränken
-<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
+<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak|sql|env|yml|yaml|json|xml|md)$">
    Order Allow,Deny
    Deny from all
+</FilesMatch>
+
+# Spezifische Ausnahmen für benötigte XML-Dateien
+<FilesMatch "^(sitemap\.xml|robots\.txt)$">
+    Order Allow,Deny
+    Allow from all
 </FilesMatch>