Update security headers in Apache configuration to enhance protection

This commit removes the X-Frame-Options header in favor of using Content Security Policy (CSP) with frame-ancestors for better flexibility and modern security practices. It also adds a fallback for frame-ancestors in case CSP is not enabled. Additionally, the JavaScript middleware is updated to reflect these changes, ensuring consistent security header management across the application.
2026-01-11 20:59:42 +01:00
parent 01cf0e58cb
commit 12ae192b37
4 changed files with 73 additions and 28 deletions
--- a/server/middleware/security-headers.js
+++ b/server/middleware/security-headers.js
@@ -17,13 +17,17 @@ export default defineEventHandler((event) => {
  setHeader(event, 'Referrer-Policy', 'strict-origin-when-cross-origin')
  setHeader(event, 'Permissions-Policy', 'geolocation=(), microphone=(), camera=()')

-  // X-Frame-Options: SAMEORIGIN (DENY wäre strenger, verhindert aber iFrames komplett)
-  setHeader(event, 'X-Frame-Options', 'SAMEORIGIN')
-
+  // X-Frame-Options entfernt - verwenden CSP frame-ancestors stattdessen
+  // CSP frame-ancestors ist moderner und unterstützt mehrere Domains
+  
  // Legacy-Header (optional; moderne Browser verlassen sich primär auf CSP)
  setHeader(event, 'X-XSS-Protection', '0')

-  // Optional: CSP
+  // Frame-Ancestors (für Einbettung von harheimertc.de erlauben)
+  const allowedFrameAncestors = process.env.FRAME_ANCESTORS || 
+    "'self' https://harheimertc.de https://www.harheimertc.de"
+
+  // Optional: Vollständige CSP
  const cspEnabled = (process.env.CSP_ENABLED || '').toLowerCase() === 'true'
  if (cspEnabled) {
    const reportOnly = (process.env.CSP_REPORT_ONLY || 'true').toLowerCase() !== 'false'
@@ -33,7 +37,7 @@ export default defineEventHandler((event) => {
        "default-src 'self'",
        "base-uri 'self'",
        "object-src 'none'",
-        "frame-ancestors 'self'",
+        `frame-ancestors ${allowedFrameAncestors}`,
        // Nuxt lädt Fonts ggf. von Google (siehe nuxt.config.js)
        "font-src 'self' https://fonts.gstatic.com data:",
        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
@@ -44,6 +48,9 @@ export default defineEventHandler((event) => {
      ].join('; ')

    setHeader(event, reportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy', cspValue)
+  } else {
+    // Wenn CSP nicht aktiviert ist, setze nur frame-ancestors
+    setHeader(event, 'Content-Security-Policy', `frame-ancestors ${allowedFrameAncestors}`)
  }
 })