Create .htaccess

Musiker15 · Musiker15 · commit 295f91ad659b · 2026-04-22T21:46:04.000+02:00
diff --git a/static/.htaccess b/static/.htaccess
@@ -0,0 +1,65 @@
+# ─── Security Headers ──────────────────────────────────────────────────────────
+
+<IfModule mod_headers.c>
+
+    # HSTS: Browsers müssen HTTPS nutzen (1 Jahr, inkl. Subdomains)
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+    # Verhindert MIME-Sniffing
+    Header always set X-Content-Type-Options "nosniff"
+
+    # Schutz gegen Clickjacking
+    Header always set X-Frame-Options "SAMEORIGIN"
+
+    # Referrer nur über HTTPS weitergeben
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+    # Kamera, Mikrofon, etc. deaktivieren sofern nicht benötigt
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
+
+    # Cross-Origin Policies
+    Header always set Cross-Origin-Opener-Policy "same-origin"
+    Header always set Cross-Origin-Embedder-Policy "require-corp"
+    Header always set Cross-Origin-Resource-Policy "same-origin"
+
+    # Content Security Policy
+    # - 'unsafe-inline' für Styles ist nötig da Docusaurus inline CSS injiziert
+    # - 'unsafe-inline' + 'unsafe-eval' für Scripts wegen Docusaurus Runtime
+    # - cdn.jsdelivr.net & fonts für externe Assets
+    Header always set Content-Security-Policy "\
+    default-src 'self'; \
+    script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
+    style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; \
+    font-src 'self' https://fonts.gstatic.com; \
+    img-src 'self' data: https:; \
+    connect-src 'self'; \
+    frame-ancestors 'none'; \
+    base-uri 'self'; \
+    form-action 'self';"
+
+</IfModule>
+
+# ─── Caching ───────────────────────────────────────────────────────────────────
+
+<IfModule mod_expires.c>
+    ExpiresActive On
+
+    # HTML: kein Cache (immer aktuell)
+    ExpiresByType text/html "access plus 0 seconds"
+
+    # Statische Assets: 1 Jahr (Docusaurus nutzt Content-Hashes in Dateinamen)
+    ExpiresByType text/css "access plus 1 year"
+    ExpiresByType application/javascript "access plus 1 year"
+    ExpiresByType image/png "access plus 1 year"
+    ExpiresByType image/jpg "access plus 1 year"
+    ExpiresByType image/jpeg "access plus 1 year"
+    ExpiresByType image/svg+xml "access plus 1 year"
+    ExpiresByType image/x-icon "access plus 1 year"
+    ExpiresByType application/font-woff2 "access plus 1 year"
+</IfModule>
+
+# ─── Compression ───────────────────────────────────────────────────────────────
+
+<IfModule mod_deflate.c>
+    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json
+</IfModule>
