Update security headers in Apache configuration to enhance protection

This commit removes the X-Frame-Options header in favor of using Content Security Policy (CSP) with frame-ancestors for better flexibility and modern security practices. It also adds a fallback for frame-ancestors in case CSP is not enabled. Additionally, the JavaScript middleware is updated to reflect these changes, ensuring consistent security header management across the application.

server/api/members.get.js

@@ -28,15 +28,19 @@ export default defineEventHandler(async (event) => {
 
     // Merge members: combine manual + registered, detect duplicates
     const mergedMembers = []
-    const processedEmails = new Set()
-    const processedNames = new Set()
+    
+    // Create lookup maps for O(1) matching instead of O(n) findIndex
+    const emailToIndexMap = new Map() // email -> index in mergedMembers
+    const nameToIndexMap = new Map()  // name -> index in mergedMembers
 
-    // First, add all manual members
-    for (const member of manualMembers) {
+    // First, add all manual members and build lookup maps
+    for (let i = 0; i < manualMembers.length; i++) {
+      const member = manualMembers[i]
       const normalizedEmail = member.email?.toLowerCase().trim() || ''
       const fullName = `${member.firstName || ''} ${member.lastName || ''}`.trim()
       const normalizedName = fullName.toLowerCase()
 
+      const memberIndex = mergedMembers.length
       mergedMembers.push({
         ...member,
         name: fullName, // Computed for display
@@ -45,8 +49,19 @@ export default defineEventHandler(async (event) => {
         hasLogin: false
       })
 
-      if (normalizedEmail) processedEmails.add(normalizedEmail)
-      if (normalizedName) processedNames.add(normalizedName)
+      // Build lookup maps (only for manual members)
+      if (normalizedEmail) {
+        // Only add if not already present (prefer first occurrence)
+        if (!emailToIndexMap.has(normalizedEmail)) {
+          emailToIndexMap.set(normalizedEmail, memberIndex)
+        }
+      }
+      if (normalizedName) {
+        // Only add if not already present (prefer first occurrence)
+        if (!nameToIndexMap.has(normalizedName)) {
+          nameToIndexMap.set(normalizedName, memberIndex)
+        }
+      }
     }
 
     // Then add registered users (only active ones)
@@ -56,21 +71,35 @@ export default defineEventHandler(async (event) => {
       const normalizedEmail = user.email?.toLowerCase().trim() || ''
       const normalizedName = user.name?.toLowerCase().trim() || ''
 
-      // Check if this user matches an existing manual member
+      // Check if this user matches an existing manual member using O(1) lookup
       let matchedManualIndex = -1
 
-      // Try to match by email first
-      if (normalizedEmail) {
-        matchedManualIndex = mergedMembers.findIndex(
-          m => m.source === 'manual' && m.email?.toLowerCase().trim() === normalizedEmail
-        )
+      // Try to match by email first (O(1) lookup)
+      if (normalizedEmail && emailToIndexMap.has(normalizedEmail)) {
+        matchedManualIndex = emailToIndexMap.get(normalizedEmail)
+        // Verify it's still a manual member (safety check)
+        if (mergedMembers[matchedManualIndex]?.source !== 'manual') {
+          matchedManualIndex = -1
+        }
       }
 
-      // If no email match, try name
-      if (matchedManualIndex === -1 && normalizedName) {
-        matchedManualIndex = mergedMembers.findIndex(
-          m => m.source === 'manual' && m.name?.toLowerCase().trim() === normalizedName
-        )
+      // If no email match, try name (O(1) lookup)
+      if (matchedManualIndex === -1 && normalizedName && nameToIndexMap.has(normalizedName)) {
+        matchedManualIndex = nameToIndexMap.get(normalizedName)
+        // Verify it's still a manual member and email doesn't conflict (safety check)
+        const candidate = mergedMembers[matchedManualIndex]
+        if (candidate?.source === 'manual') {
+          // Additional safety: if candidate has email, make sure it doesn't conflict
+          const candidateEmail = candidate.email?.toLowerCase().trim() || ''
+          if (!candidateEmail || candidateEmail === normalizedEmail) {
+            // Safe to match by name
+          } else {
+            // Email mismatch - don't match by name alone
+            matchedManualIndex = -1
+          }
+        } else {
+          matchedManualIndex = -1
+        }
       }
 
       if (matchedManualIndex !== -1) {

server/middleware/security-headers.js

@@ -17,13 +17,17 @@ export default defineEventHandler((event) => {
   setHeader(event, 'Referrer-Policy', 'strict-origin-when-cross-origin')
   setHeader(event, 'Permissions-Policy', 'geolocation=(), microphone=(), camera=()')
 
-  // X-Frame-Options: SAMEORIGIN (DENY wäre strenger, verhindert aber iFrames komplett)
-  setHeader(event, 'X-Frame-Options', 'SAMEORIGIN')
-
+  // X-Frame-Options entfernt - verwenden CSP frame-ancestors stattdessen
+  // CSP frame-ancestors ist moderner und unterstützt mehrere Domains
+  
   // Legacy-Header (optional; moderne Browser verlassen sich primär auf CSP)
   setHeader(event, 'X-XSS-Protection', '0')
 
-  // Optional: CSP
+  // Frame-Ancestors (für Einbettung von harheimertc.de erlauben)
+  const allowedFrameAncestors = process.env.FRAME_ANCESTORS || 
+    "'self' https://harheimertc.de https://www.harheimertc.de"
+
+  // Optional: Vollständige CSP
   const cspEnabled = (process.env.CSP_ENABLED || '').toLowerCase() === 'true'
   if (cspEnabled) {
     const reportOnly = (process.env.CSP_REPORT_ONLY || 'true').toLowerCase() !== 'false'
@@ -33,7 +37,7 @@ export default defineEventHandler((event) => {
         "default-src 'self'",
         "base-uri 'self'",
         "object-src 'none'",
-        "frame-ancestors 'self'",
+        `frame-ancestors ${allowedFrameAncestors}`,
         // Nuxt lädt Fonts ggf. von Google (siehe nuxt.config.js)
         "font-src 'self' https://fonts.gstatic.com data:",
         "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
@@ -44,6 +48,9 @@ export default defineEventHandler((event) => {
       ].join('; ')
 
     setHeader(event, reportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy', cspValue)
+  } else {
+    // Wenn CSP nicht aktiviert ist, setze nur frame-ancestors
+    setHeader(event, 'Content-Security-Policy', `frame-ancestors ${allowedFrameAncestors}`)
   }
 })