Script erstellt

test-https-security.php

@@ -0,0 +1,59 @@
+<?php
+// Test der HTTPS-Sicherheit
+echo "🔒 HTTPS-Sicherheit Test\n";
+echo "======================\n\n";
+
+// 1. Prüfe .env Einstellungen
+echo "1. .env Einstellungen:\n";
+$envVars = ['APP_URL', 'FORCE_HTTPS', 'SECURE_COOKIES', 'SESSION_SECURE_COOKIE'];
+foreach ($envVars as $var) {
+    $value = getenv($var) ?: 'nicht gesetzt';
+    echo "   - $var: $value\n";
+}
+
+// 2. Prüfe Session-Konfiguration
+echo "\n2. Session-Konfiguration:\n";
+if (file_exists('config/session.php')) {
+    $content = file_get_contents('config/session.php');
+    if (strpos($content, "'secure' => true") !== false) {
+        echo "   ✅ Session secure: true\n";
+    } else {
+        echo "   ❌ Session secure: false\n";
+    }
+    if (strpos($content, "'http_only' => true") !== false) {
+        echo "   ✅ Session http_only: true\n";
+    } else {
+        echo "   ❌ Session http_only: false\n";
+    }
+}
+
+// 3. Prüfe CSRF-Konfiguration
+echo "\n3. CSRF-Konfiguration:\n";
+if (file_exists('config/csrf.php')) {
+    $content = file_get_contents('config/csrf.php');
+    if (strpos($content, "'secure' => true") !== false) {
+        echo "   ✅ CSRF secure: true\n";
+    } else {
+        echo "   ❌ CSRF secure: false\n";
+    }
+}
+
+// 4. Prüfe .htaccess
+echo "\n4. .htaccess HTTPS-Headers:\n";
+if (file_exists('public/.htaccess')) {
+    $content = file_get_contents('public/.htaccess');
+    if (strpos($content, 'Strict-Transport-Security') !== false) {
+        echo "   ✅ HSTS Header vorhanden\n";
+    } else {
+        echo "   ❌ HSTS Header fehlt\n";
+    }
+    if (strpos($content, 'upgrade-insecure-requests') !== false) {
+        echo "   ✅ CSP upgrade-insecure-requests vorhanden\n";
+    } else {
+        echo "   ❌ CSP upgrade-insecure-requests fehlt\n";
+    }
+}
+
+echo "\n✅ HTTPS-Sicherheit Test abgeschlossen!\n";
+echo "🔗 Testen Sie jetzt: https://neonail.vogt.de.com/admin/users\n";
+?>