From 2d9f1838b6a7b44bc0a4b16e302615609be4384a Mon Sep 17 00:00:00 2001
From: "Claw (KI-Assistent)" <mki@kies-media.de>
Date: Thu, 21 May 2026 23:04:52 +0000
Subject: [PATCH] fix(security): add CSP and security headers via .htaccess
 (#41)

- Content-Security-Policy: strict CSP for static landingpage
- X-Content-Type-Options: nosniff
- X-Frame-Options: SAMEORIGIN
- Referrer-Policy: strict-origin-when-cross-origin

Fix #41
---
 public/.htaccess | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/public/.htaccess b/public/.htaccess
index 9be60ac..2f7644c 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -1,6 +1,14 @@
 # Enable rewrite engine
 RewriteEngine On
 
+# Security Headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "SAMEORIGIN"
+    Header set Referrer-Policy "strict-origin-when-cross-origin"
+    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-src https://www.google.com/ https://www.google.de/; connect-src 'self'"
+</IfModule>
+
 # Legacy redirects (301) – must be before the catch-all
 RewriteRule ^impressum\.html$ /impressum [R=301,L]
 RewriteRule ^datenschutz\.html$ /datenschutz [R=301,L]