diff --git a/public/.htaccess b/public/.htaccess index 6d78843..d1e29e2 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -4,13 +4,14 @@ # Sicherheitsheader Header always set X-Content-Type-Options nosniff - Header always set X-Frame-Options DENY + # X-Frame-Options entfernt, da sonst Tag Assistant (Iframe) nicht funktionieren kann. + # Absicherung erfolgt stattdessen granular über CSP frame-ancestors. Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" # Content Security Policy - Schutz vor XSS und Code-Injection - Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" + Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de https://www.google-analytics.com data:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self' https://tagassistant.google.com; base-uri 'self'; form-action 'self'" # Strict-Transport-Security (HSTS) - Erzwingt HTTPS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"