Update Apache SSL configuration and enhance security features across multiple files. Changed X-Frame-Options to SAMEORIGIN for better security, added optional Content Security Policy headers for testing, and improved password handling with HaveIBeenPwned checks during user registration and password reset. Implemented passkey login functionality in the authentication flow, including UI updates for user experience. Enhanced image upload processing with size limits and validation, and added rate limiting for various API endpoints to prevent abuse.

server/utils/cookies.js

@@ -0,0 +1,46 @@
+function isProduction() {
+  return process.env.NODE_ENV === 'production'
+}
+
+export function getCookieSecureDefault() {
+  // In Produktion: immer Secure (auch wenn HTTPS via Apache terminiert).
+  // In Dev: default false, damit Login über http://localhost funktioniert.
+  if (process.env.COOKIE_SECURE === 'true') return true
+  if (process.env.COOKIE_SECURE === 'false') return false
+  return isProduction()
+}
+
+export function getSameSiteDefault() {
+  // Erwartung aus Security-Feedback: Strict. In Dev ggf. Lax, damit SSO/Flows nicht nerven.
+  const v = (process.env.COOKIE_SAMESITE || '').toLowerCase().trim()
+  if (v === 'strict' || v === 'lax' || v === 'none') return v
+  return isProduction() ? 'strict' : 'lax'
+}
+
+export function getAuthCookieOptions() {
+  return {
+    httpOnly: true,
+    secure: getCookieSecureDefault(),
+    sameSite: getSameSiteDefault(),
+    maxAge: 60 * 60 * 24 * 7 // 7 days
+  }
+}
+
+export function getDownloadCookieOptions() {
+  // Download-Token ist kurzlebig; SameSite strict ist ok.
+  return {
+    httpOnly: true,
+    secure: getCookieSecureDefault(),
+    sameSite: 'strict',
+    maxAge: 60 * 60 * 24 // 24 Stunden
+  }
+}
+
+export function getDownloadCookieOptionsWithMaxAge(maxAgeSeconds) {
+  return {
+    ...getDownloadCookieOptions(),
+    maxAge: Number(maxAgeSeconds) || getDownloadCookieOptions().maxAge
+  }
+}
+
+