feat: Website-Rework mit verbessertem Design, Sicherheit und Deployment

- Neue About/Skills-Sektion hinzugefügt - Verbesserte UI/UX für alle Komponenten - Enhanced Contact Form mit Validierung - Verbesserte Security Headers und Middleware - Sichere Deployment-Skripte (safe-deploy.sh) - Zero-Downtime Deployment Support - Verbesserte Docker-Sicherheit - Umfassende Sicherheits-Dokumentation - Performance-Optimierungen - Accessibility-Verbesserungen
2025-11-22 19:24:49 +01:00
parent 498bec6edf
commit 976a6360fd
17 changed files with 1585 additions and 139 deletions
--- a/app/api/email/route.tsx
+++ b/app/api/email/route.tsx
@@ -3,18 +3,47 @@ import nodemailer from "nodemailer";
 import SMTPTransport from "nodemailer/lib/smtp-transport";
 import Mail from "nodemailer/lib/mailer";
 import { PrismaClient } from '@prisma/client';
+import { checkRateLimit, getRateLimitHeaders } from '@/lib/auth';

 const prisma = new PrismaClient();

+// Sanitize input to prevent XSS
+function sanitizeInput(input: string, maxLength: number = 10000): string {
+    return input
+        .slice(0, maxLength)
+        .replace(/[<>]/g, '') // Remove potential HTML tags
+        .trim();
+}
+
 export async function POST(request: NextRequest) {
    try {
+        // Rate limiting
+        const ip = request.headers.get('x-forwarded-for') || request.headers.get('x-real-ip') || 'unknown';
+        if (!checkRateLimit(ip, 5, 60000)) { // 5 emails per minute per IP
+            return NextResponse.json(
+                { error: 'Zu viele Anfragen. Bitte versuchen Sie es später erneut.' },
+                { 
+                    status: 429,
+                    headers: {
+                        'Content-Type': 'application/json',
+                        ...getRateLimitHeaders(ip, 5, 60000)
+                    }
+                }
+            );
+        }
+
        const body = (await request.json()) as {
            email: string;
            name: string;
            subject: string;
            message: string;
        };
-        const { email, name, subject, message } = body;
+        
+        // Sanitize and validate input
+        const email = sanitizeInput(body.email || '', 255);
+        const name = sanitizeInput(body.name || '', 100);
+        const subject = sanitizeInput(body.subject || '', 200);
+        const message = sanitizeInput(body.message || '', 5000);

        console.log('📧 Email request received:', { email, name, subject, messageLength: message.length });

@@ -46,6 +75,14 @@ export async function POST(request: NextRequest) {
            );
        }

+        // Validate field lengths
+        if (name.length > 100 || subject.length > 200 || message.length > 5000) {
+            return NextResponse.json(
+                { error: "Eingabe zu lang" },
+                { status: 400 },
+            );
+        }
+
        const user = process.env.MY_EMAIL ?? "";
        const pass = process.env.MY_PASSWORD ?? "";