CSP erweitert um upgrade-insecure-requests und block-all-mixed-content in index.html

2026-02-24 12:07:14 +01:00 · 2026-02-24 12:07:14 +01:00 · a9f93b8537
commit a9f93b8537
parent a6533bfb3d
2 changed files with 5 additions and 2 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@ -34,7 +34,10 @@
      "Bash(gh run list --limit 5)",
      "Bash(gh run view 22346323845)",
      "Bash(gh run view 22346323845 --log-failed)",
-      "Bash(gh run view 22346839541)"
+      "Bash(gh run view 22346839541)",
      "WebFetch(domain:go.vanityontour.de)",
      "Bash(git add index.html)",
      "Bash(git commit -m \"Security fixes: Add CSP, referrer policy, fix invalid HTML\n\n- Add Content Security Policy header\n- Add strict referrer policy  \n- Fix missing rel=\"\"noopener noreferrer\"\" on external link\n- Replace invalid </br> tags with proper div spacing\n- Improve overall security posture\n\n🤖 Generated with [Claude Code](https://claude.ai/code)\n\nCo-Authored-By: Claude <noreply@anthropic.com>\")"
    ],
    "deny": [],
    "ask": [],
--- a/index.html
+++ b/index.html
@ -3,7 +3,7 @@
 <head>
  <meta charset="utf-8" />
  <meta name="viewport" content="width=device-width,initial-scale=1" />
-  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'none'; frame-src 'none'; object-src 'none';" />
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'none'; frame-src 'none'; object-src 'none'; upgrade-insecure-requests; block-all-mixed-content;" />
  <meta name="referrer" content="strict-origin-when-cross-origin" />
  <meta name="description" content="Vanity on Tour: Vanlife trifft Technik – Apps, Tools, Blog & Projekte." />
  <title>Vanity on Tour – Go</title>