From 73ba422655482cf30e221f9a5af42fa520439de8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=F0=9D=93=9C=F0=9D=93=AA=F0=9D=93=AC=F0=9D=93=AE=E2=84=A2?=
 <71522630+theoneandonlymace@users.noreply.github.com>
Date: Thu, 9 Apr 2026 15:46:11 +0200
Subject: [PATCH] Update .htaccess for enhanced security and Google Tag
 Assistant compatibility: Removed X-Frame-Options header and adjusted Content
 Security Policy to allow Google Tag Manager and Google Analytics, ensuring
 compliance with security standards while maintaining functionality.

---
 public/.htaccess | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/public/.htaccess b/public/.htaccess
index 6d78843..d1e29e2 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -4,13 +4,14 @@
 # Sicherheitsheader
 <IfModule mod_headers.c>
     Header always set X-Content-Type-Options nosniff
-    Header always set X-Frame-Options DENY
+    # X-Frame-Options entfernt, da sonst Tag Assistant (Iframe) nicht funktionieren kann.
+    # Absicherung erfolgt stattdessen granular über CSP frame-ancestors.
     Header always set X-XSS-Protection "1; mode=block"
     Header always set Referrer-Policy "strict-origin-when-cross-origin"
     Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
     
     # Content Security Policy - Schutz vor XSS und Code-Injection
-    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de https://www.google-analytics.com data:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self' https://tagassistant.google.com; base-uri 'self'; form-action 'self'"
     
     # Strict-Transport-Security (HSTS) - Erzwingt HTTPS
     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-- 
2.47.3