diff --git a/public/sw.js b/public/sw.js
index 74d1dbd..884c65c 100644
--- a/public/sw.js
+++ b/public/sw.js
@@ -12,9 +12,9 @@
  *   API: Immer Netzwerk (kein Caching von Nutzerdaten)
  */
 
-const SHELL_CACHE   = 'oikos-shell-v9';
-const PAGES_CACHE   = 'oikos-pages-v9';
-const ASSETS_CACHE  = 'oikos-assets-v9';
+const SHELL_CACHE   = 'oikos-shell-v10';
+const PAGES_CACHE   = 'oikos-pages-v10';
+const ASSETS_CACHE  = 'oikos-assets-v10';
 const ALL_CACHES    = [SHELL_CACHE, PAGES_CACHE, ASSETS_CACHE];
 
 // App-Shell: sofort benötigt für ersten Render
diff --git a/server/index.js b/server/index.js
index 6d98bcf..ec1b3f9 100644
--- a/server/index.js
+++ b/server/index.js
@@ -30,6 +30,7 @@ const PORT = process.env.PORT || 3000;
 // --------------------------------------------------------
 // Security-Middleware
 // --------------------------------------------------------
+const isSecure = process.env.SESSION_SECURE !== 'false';
 app.use(helmet({
   contentSecurityPolicy: {
     directives: {
@@ -45,13 +46,16 @@ app.use(helmet({
       fontSrc: ["'self'"],
       objectSrc: ["'none'"],
       frameSrc: ["'none'"],
+      // upgrade-insecure-requests nur mit HTTPS aktivieren
+      upgradeInsecureRequests: isSecure ? [] : null,
     },
   },
-  hsts: {
+  // HSTS nur mit HTTPS aktivieren
+  hsts: isSecure ? {
     maxAge: 31536000,
     includeSubDomains: true,
     preload: true,
-  },
+  } : false,
 }));
 
 // Trust Proxy für korrekte IP hinter Nginx