torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update security headers in Apache configuration to enhance protection
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 47s
Details

Browse Source 
This commit removes the X-Frame-Options header in favor of using Content Security Policy (CSP) with frame-ancestors for better flexibility and modern security practices. It also adds a fallback for frame-ancestors in case CSP is not enabled. Additionally, the JavaScript middleware is updated to reflect these changes, ensuring consistent security header management across the application.
This commit is contained in:
Torsten Schulz (local)
2026-01-11 20:59:42 +01:00
parent 01cf0e58cb
commit 12ae192b37
4 changed files with 73 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apache-ssl-config.conf
View File

@@ -21,13 +21,18 @@
# Security Headers
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
# X-Frame-Options entfernt - verwenden CSP frame-ancestors stattdessen (modernere Lösung)
# Header always set X-Frame-Options SAMEORIGIN
# X-Content-Type-Options wird vom Nuxt-Server gesetzt
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
# Frame-Ancestors: Erlaubt Einbettung von harheimertc.de und www.harheimertc.de
# Wird vom Nuxt-Server gesetzt, aber hier als Fallback für den Fall, dass CSP nicht aktiviert ist
Header always set Content-Security-Policy "frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de"
# Optional: Content Security Policy (zuerst Report-Only testen)
# Header always set Content-Security-Policy-Report-Only "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self'; img-src 'self' data: blob:; connect-src 'self'"
# Optional: Vollständige Content Security Policy (zusätzlich zu frame-ancestors)
# Header always set Content-Security-Policy-Report-Only "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self'; img-src 'self' data: blob:; connect-src 'self'"
# Proxy alle Anfragen an Nuxt Server (Port 3100)
ProxyPreserveHost On