From 5f5be4a4cbf508618eb43f658b42a99f5e65dedb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=F0=9D=93=9C=F0=9D=93=AA=F0=9D=93=AC=F0=9D=93=AE=E2=84=A2?= <71522630+theoneandonlymace@users.noreply.github.com> Date: Thu, 9 Apr 2026 15:49:03 +0200 Subject: [PATCH] Enhance Content Security Policy in .htaccess: Updated img-src and connect-src directives to include Google Tag Manager and additional Google services, improving security while ensuring compatibility with analytics tools. --- public/.htaccess | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/.htaccess b/public/.htaccess index d1e29e2..88a0e7b 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -11,7 +11,7 @@ Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" # Content Security Policy - Schutz vor XSS und Code-Injection - Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de https://www.google-analytics.com data:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self' https://tagassistant.google.com; base-uri 'self'; form-action 'self'" + Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de https://www.google-analytics.com https://www.googletagmanager.com data:; connect-src 'self' https://www.googletagmanager.com https://www.google.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self' https://tagassistant.google.com; base-uri 'self'; form-action 'self'" # Strict-Transport-Security (HSTS) - Erzwingt HTTPS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" -- 2.47.3