12ae192b37
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 47s
This commit removes the X-Frame-Options header in favor of using Content Security Policy (CSP) with frame-ancestors for better flexibility and modern security practices. It also adds a fallback for frame-ancestors in case CSP is not enabled. Additionally, the JavaScript middleware is updated to reflect these changes, ensuring consistent security header management across the application.
56 lines
2.6 KiB
Plaintext
56 lines
2.6 KiB
Plaintext
# Harheimer TC Website - HTTPS VirtualHost
|
|
# Speichern unter: /etc/apache2/sites-available/harheimertc.tsschulz.de-ssl.conf
|
|
|
|
<VirtualHost *:443>
|
|
ServerName harheimertc.tsschulz.de
|
|
ServerAdmin admin@tsschulz.de
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/harheimertc-ssl-error.log
|
|
CustomLog ${APACHE_LOG_DIR}/harheimertc-ssl-access.log combined
|
|
|
|
# SSL-Konfiguration
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/letsencrypt/live/harheimertc.tsschulz.de/fullchain.pem
|
|
SSLCertificateKeyFile /etc/letsencrypt/live/harheimertc.tsschulz.de/privkey.pem
|
|
|
|
# Moderne SSL-Konfiguration
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
|
|
SSLHonorCipherOrder off
|
|
SSLSessionTickets off
|
|
|
|
# Security Headers
|
|
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
|
|
# X-Frame-Options entfernt - verwenden CSP frame-ancestors stattdessen (modernere Lösung)
|
|
# Header always set X-Frame-Options SAMEORIGIN
|
|
# X-Content-Type-Options wird vom Nuxt-Server gesetzt
|
|
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
|
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
|
|
|
|
# Frame-Ancestors: Erlaubt Einbettung von harheimertc.de und www.harheimertc.de
|
|
# Wird vom Nuxt-Server gesetzt, aber hier als Fallback für den Fall, dass CSP nicht aktiviert ist
|
|
Header always set Content-Security-Policy "frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de"
|
|
|
|
# Optional: Vollständige Content Security Policy (zusätzlich zu frame-ancestors)
|
|
# Header always set Content-Security-Policy-Report-Only "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self' https://harheimertc.de https://www.harheimertc.de; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self'; img-src 'self' data: blob:; connect-src 'self'"
|
|
|
|
# Proxy alle Anfragen an Nuxt Server (Port 3100)
|
|
ProxyPreserveHost On
|
|
ProxyPass / http://localhost:3100/
|
|
ProxyPassReverse / http://localhost:3100/
|
|
</VirtualHost>
|
|
|
|
# HTTP zu HTTPS Redirect
|
|
<VirtualHost *:80>
|
|
ServerName harheimertc.tsschulz.de
|
|
ServerAdmin admin@tsschulz.de
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/harheimertc-redirect-error.log
|
|
CustomLog ${APACHE_LOG_DIR}/harheimertc-redirect-access.log combined
|
|
|
|
# Redirect zu HTTPS
|
|
RewriteEngine On
|
|
RewriteCond %{SERVER_NAME} =harheimertc.tsschulz.de
|
|
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
|
|
</VirtualHost>
|