Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

env.example

@@ -30,3 +30,39 @@ DATA_PATH=server/data
 # Debug-Modi
 DEBUG=true
 VERBOSE_LOGGING=true
+
+# Cookies (Security Hardening)
+# - In Produktion sollte COOKIE_SECURE=true sein (Browser sendet Cookie nur über HTTPS)
+# - SameSite=Strict ist am restriktivsten (kann iFrame/3rd-party Flows einschränken)
+COOKIE_SECURE=
+COOKIE_SAMESITE=
+
+# Security Headers / CSP
+# - CSP_ENABLED: aktiviert CSP-Header (empfohlen zuerst im Report-Only Modus testen)
+# - CSP_REPORT_ONLY: wenn true (Default), setzt Content-Security-Policy-Report-Only statt CSP enforcing
+# - CSP_VALUE: optional eigene Policy
+CSP_ENABLED=false
+CSP_REPORT_ONLY=true
+CSP_VALUE=
+
+# HaveIBeenPwned (Pwned Passwords, k-Anonymity)
+HIBP_ENABLED=false
+HIBP_USER_AGENT=harheimertc
+HIBP_TIMEOUT_MS=4000
+HIBP_CACHE_TTL_MS=21600000
+# Wenn true: bei HIBP-Fehlern (Timeout/5xx) wird Registrierung/Passwortwechsel abgelehnt
+HIBP_FAIL_CLOSED=false
+
+# Audit Logging (JSONL unter server/data/audit.log.jsonl)
+AUDIT_LOG_ENABLED=true
+
+# WebAuthn / Passkeys
+# Für Produktion unbedingt setzen:
+# - WEBAUTHN_ORIGIN z.B. https://harheimertc.tsschulz.de
+# - WEBAUTHN_RP_ID z.B. harheimertc.tsschulz.de
+# - WEBAUTHN_RP_NAME frei wählbar (Anzeige im Browser)
+WEBAUTHN_ORIGIN=
+WEBAUTHN_RP_ID=
+WEBAUTHN_RP_NAME=Harheimer TC
+# Optional: erzwingt User Verification (z.B. biometrisch/PIN am Gerät)
+WEBAUTHN_REQUIRE_UV=false