Changes für lighthouse Branch

public/_headers

@@ -0,0 +1,33 @@
+# Security Headers for all routes
+/*
+  # XSS Protection
+  X-Frame-Options: DENY
+  X-Content-Type-Options: nosniff
+  X-XSS-Protection: 1; mode=block
+
+  # Referrer Policy
+  Referrer-Policy: strict-origin-when-cross-origin
+
+  # Permissions Policy
+  Permissions-Policy: geolocation=(self), microphone=(), camera=(), payment=()
+
+  # Strict Transport Security (HSTS)
+  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
+
+  # Content Security Policy
+  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://www.google-analytics.com https://*.googletagmanager.com; frame-ancestors 'none';
+
+  # Cache Control for static assets
+  Cache-Control: public, max-age=31536000, immutable
+
+# Cache Control for HTML
+/*.html
+  Cache-Control: public, max-age=0, must-revalidate
+
+# Cache Control for service worker
+/sw.js
+  Cache-Control: public, max-age=0, must-revalidate
+
+# Cache Control for manifest
+/manifest.json
+  Cache-Control: public, max-age=86400, must-revalidate