harden CSP and integrate CSP+RP into HTTP header

layouts/_default/baseof.html

@@ -2,8 +2,6 @@
 <html lang="{{.Site.Language.Lang }}">
     <head>
         <title>Ecogood portal</title>
-        <meta http-equiv="Content-Security-Policy" content="default-src 'self'; child-src 'none';">
-        <meta name="referrer" content="no-referrer">
         <link rel="stylesheet" href="{{ "ecogood.css" | absURL }}"/>
         <link rel="icon" href="{{ "favicon-cropped.webp" | absURL }}" sizes="32x32" />
         <link rel="icon" href="{{ "favicon.webp" | absURL }}" sizes="192x192" />

public/.htaccess

@@ -1,8 +1,15 @@
+# authentication
 AuthType Basic
 AuthName "Geschuetzter Bereich. Zugangsdaten koennen beim AK-IT unbuerokratish angefordert werden."
 AuthUserFile /home/pacs/ecg00/users/portal/doms/my.ecogood.world/.htpasswd
 Require valid-user
 
+# CSP Starter Policy: allows images, scripts, AJAX, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc).
+Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
+
+# Referrer Policy
+Header always set Referrer-Policy "no-referrer"
+
 # redirection depending on the language
 RewriteEngine on
 

static/.htaccess

@@ -1,8 +1,15 @@
+# authentication
 AuthType Basic
 AuthName "Geschuetzter Bereich. Zugangsdaten koennen beim AK-IT unbuerokratish angefordert werden."
 AuthUserFile /home/pacs/ecg00/users/portal/doms/my.ecogood.world/.htpasswd
 Require valid-user
 
+# CSP Starter Policy: allows images, scripts, AJAX, and CSS from the same origin, and does not allow any other resources to load (eg object, frame, media, etc).
+Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
+
+# Referrer Policy
+Header always set Referrer-Policy "no-referrer"
+
 # redirection depending on the language
 RewriteEngine on