From eccce7e5397b1d67e2602694e53a4b4a7264ad50 Mon Sep 17 00:00:00 2001
From: Stefan Hacker <duffy@debian-linux-terminal.local>
Date: Sat, 6 Jun 2026 16:25:32 +0200
Subject: [PATCH] F-15/F-16/F-17 Security-Header & Logout

- F-15 CSRF-Logout: /logout nur noch via POST mit CSRF-Token; Sidebar-Link
  ist jetzt ein POST-Formular. Schuetzt vor Cross-Site-Logout (SameSite=Lax
  greift bei Top-Level-GET nicht).
- F-16 SRI: Subresource-Integrity-Hashes (sha384) + crossorigin fuer alle
  CDN-Ressourcen (Bootstrap CSS/JS, Bootstrap-Icons).
- F-17: Permissions-Policy-Header (deaktiviert ungenutzte Browser-Features).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 app/main.py              |  6 +++++-
 app/static/css/app.css   |  1 +
 app/templates/base.html  | 18 ++++++++++++------
 app/templates/error.html |  3 ++-
 app/templates/login.html |  6 ++++--
 5 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/app/main.py b/app/main.py
index df8f5ae..536e349 100644
--- a/app/main.py
+++ b/app/main.py
@@ -56,6 +56,10 @@ def _security_headers(resp):
     resp.headers['X-Frame-Options'] = 'DENY'
     resp.headers['X-Content-Type-Options'] = 'nosniff'
     resp.headers['Referrer-Policy'] = 'no-referrer'
+    resp.headers['Permissions-Policy'] = (
+        'geolocation=(), camera=(), microphone=(), payment=(), usb=(), '
+        'accelerometer=(), gyroscope=(), magnetometer=()'
+    )
     resp.headers.setdefault('Content-Security-Policy', CSP)
     # HTML-Seiten (Formulare/Session-Daten) nicht cachen lassen.
     if resp.mimetype == 'text/html':
@@ -262,7 +266,7 @@ def login():
     return render_template('login.html')
 
 
-@app.route('/logout')
+@app.route('/logout', methods=['POST'])
 def logout():
     session.clear()
     return redirect(url_for('login'))
diff --git a/app/static/css/app.css b/app/static/css/app.css
index ae8312d..25565be 100644
--- a/app/static/css/app.css
+++ b/app/static/css/app.css
@@ -13,6 +13,7 @@ body { background: #f4f6f9; min-height: 100vh; }
   background: var(--sidebar-hover); color: #fff;
 }
 #sidebar .nav-link i { width: 1.3em; }
+#sidebar button.nav-link { background: none; border: 0; width: 100%; text-align: left; cursor: pointer; }
 #sidebar hr { border-color: var(--sidebar-hover); }
 .main-content { flex: 1; padding: 2rem; min-width: 0; }
 .card { border: none; box-shadow: 0 1px 4px rgba(0,0,0,.08); }
diff --git a/app/templates/base.html b/app/templates/base.html
index 4b7d1c9..210add2 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -5,8 +5,10 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>{% block title %}DynDNS Manager{% endblock %}</title>
   <link rel="icon" href="{{ url_for('static', filename='favicon.svg') }}" type="image/svg+xml">
-  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
-  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"
+        integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"
+        integrity="sha384-XGjxtQfXaH2tnPFa9x+ruJTuLE3Aa6LhHSWRr1XeTyhezb4abCG4ccI5AkVDxqC+" crossorigin="anonymous">
   <link rel="stylesheet" href="{{ url_for('static', filename='css/app.css') }}">
 </head>
 <body class="d-flex">
@@ -32,9 +34,12 @@
   <div class="mt-auto">
     <hr>
     <small class="text-secondary d-block mb-2 px-2">{{ session.admin_username }}</small>
-    <a href="{{ url_for('logout') }}" class="nav-link text-danger">
-      <i class="bi bi-box-arrow-left"></i> Abmelden
-    </a>
+    <form method="post" action="{{ url_for('logout') }}">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+      <button type="submit" class="nav-link text-danger">
+        <i class="bi bi-box-arrow-left"></i> Abmelden
+      </button>
+    </form>
   </div>
 </nav>
 
@@ -51,7 +56,8 @@
   {% block content %}{% endblock %}
 </div>
 
-<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"
+        integrity="sha384-C6RzsynM9kWDrMNeT87bh95OGNyZPhcTNXj1NW7RuBCsyN/o0jlpcV8Qyq46cDfL" crossorigin="anonymous"></script>
 <script src="{{ url_for('static', filename='js/app.js') }}"></script>
 {% block scripts %}{% endblock %}
 </body>
diff --git a/app/templates/error.html b/app/templates/error.html
index 872f467..5901621 100644
--- a/app/templates/error.html
+++ b/app/templates/error.html
@@ -5,7 +5,8 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>{{ code }} — DynDNS Manager</title>
   <link rel="icon" href="{{ url_for('static', filename='favicon.svg') }}" type="image/svg+xml">
-  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"
+        integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
   <link rel="stylesheet" href="{{ url_for('static', filename='css/login.css') }}">
 </head>
 <body class="justify-content-center">
diff --git a/app/templates/login.html b/app/templates/login.html
index e2d8b50..01a014b 100644
--- a/app/templates/login.html
+++ b/app/templates/login.html
@@ -5,8 +5,10 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Login — DynDNS Manager</title>
   <link rel="icon" href="{{ url_for('static', filename='favicon.svg') }}" type="image/svg+xml">
-  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css">
-  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css">
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css"
+        integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"
+        integrity="sha384-XGjxtQfXaH2tnPFa9x+ruJTuLE3Aa6LhHSWRr1XeTyhezb4abCG4ccI5AkVDxqC+" crossorigin="anonymous">
   <link rel="stylesheet" href="{{ url_for('static', filename='css/login.css') }}">
 </head>
 <body class="justify-content-center">