From 4201a90fd0196611b8c641803f5ed2f4217c7fc1 Mon Sep 17 00:00:00 2001
From: duffyduck <info@hacker-net.de>
Date: Thu, 7 May 2026 18:00:56 +0200
Subject: [PATCH] docs: HTTPS_ENABLED-Flag in Erledigt-Liste dokumentieren

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/todo.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/todo.md b/docs/todo.md
index d221d076..a948dfc5 100644
--- a/docs/todo.md
+++ b/docs/todo.md
@@ -97,6 +97,12 @@ isolierte Instanz (keine Multi-Tenancy im Code), Provisioning + Abrechnung
 
 ## ✅ Erledigt
 
+- [x] **🔒 HTTPS-only-Header per Flag (`HTTPS_ENABLED`)**
+  - HSTS + `upgrade-insecure-requests` (CSP) sperrten den Browser bei
+    direktem `http://ip:port`-Zugriff aus (`ERR_SSL_PROTOCOL_ERROR`).
+  - Beide Header default OFF, kommen nur mit `HTTPS_ENABLED=true` (sobald
+    TLS-Reverse-Proxy davor steht).
+
 - [x] **🗃️ Prisma-Migrations-System (statt `db push`)**
   - Initial-Migration `0_init` aus aktuellem Schema generiert
     (`prisma migrate diff --from-empty --to-schema-datamodel`).