Security

This site is static HTML/CSS hosted on GitHub Pages (custom domain hoppefamily.de).

Important limitation (GitHub Pages)

GitHub Pages does not let you configure arbitrary HTTP response headers (HSTS, CSP as a header, X-Frame-Options, etc.) from this repository.

What this repo can enforce:

• CSP + Referrer Policy via HTML <meta> tags (already present)
• No third-party scripts/fonts by design

What requires an edge/proxy in front of GitHub Pages:

• Strict-Transport-Security
• Header-based Content-Security-Policy (recommended; meta CSP cannot enforce frame-ancestors reliably)
• X-Content-Type-Options, X-Frame-Options, etc.

Recommended header set

Use these headers at the edge:

• Strict-Transport-Security: max-age=31536000; includeSubDomains
• Content-Security-Policy: default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data:; style-src 'self'; script-src 'self'; upgrade-insecure-requests
• Referrer-Policy: no-referrer
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• X-XSS-Protection: 0

Notes:

• X-Frame-Options: DENY is redundant if CSP frame-ancestors 'none' is set, but harmless.
• If you ever add inline scripts/styles, CSP will need adjustments (currently we don’t use any).

Cloudflare (recommended for GitHub Pages)

If hoppefamily.de is proxied through Cloudflare, you can inject these headers at the edge.

Two common ways:

1) Cloudflare Dashboard rules

• SSL/TLS → Edge Certificates → enable HSTS with max-age=31536000 and includeSubDomains.
• Rules → Transform Rules → Response Header Modification → set the headers above.

2) Cloudflare Worker Use the worker in cloudflare/worker.js to add headers on every response.

Verify

Run:

python3 scripts/check_live_security_headers.py https://hoppefamily.de

This checks for presence and (where reasonable) expected values.