From 8f3f5cce015966e7ea9eff2a56173595a2d9048c Mon Sep 17 00:00:00 2001
From: ulsklyc <ulas@kalayci.cloud>
Date: Thu, 26 Mar 2026 13:25:32 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20CSP=20inline-script=20hash=20+=20SESSION?=
 =?UTF-8?q?=5FSECURE=3Dfalse=20f=C3=BCr=20HTTP-Betrieb?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- CSP: SHA-256-Hash für Theme-Detection Inline-Script hinzugefügt
- docker-compose: SESSION_SECURE=false, damit HSTS und
  upgrade-insecure-requests bei direktem HTTP-Zugriff deaktiviert sind

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.yml | 2 ++
 server/index.js    | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 6c97144..85c7321 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,6 +12,8 @@ services:
     environment:
       - NODE_ENV=production
       - DB_PATH=/data/oikos.db
+      # Auf false setzen wenn kein HTTPS/Reverse-Proxy (direkter HTTP-Zugriff)
+      - SESSION_SECURE=false
     healthcheck:
       test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health', r => process.exit(r.statusCode === 200 ? 0 : 1))"]
       interval: 30s
diff --git a/server/index.js b/server/index.js
index 3e4798b..57b7356 100644
--- a/server/index.js
+++ b/server/index.js
@@ -37,6 +37,8 @@ app.use(helmet({
       defaultSrc: ["'self'"],
       scriptSrc: [
         "'self'",
+        // Inline-Script: Theme-Detection (Flash-Prevention)
+        "'sha256-vqqBNo1oitnzIntwkG83UaYqkUAnV/oZ/RkvcA41Y6A='",
         // Alpine.js CDN (optional, falls verwendet)
         'https://cdn.jsdelivr.net',
       ],