@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/express/cookie-banner-pattern.md

@@ -0,0 +1,237 @@
+---
+license: MIT (snippet)
+provider: Express.js (Open-Source)
+last-checked: 2026-05-05
+purpose: Express Middleware-Stack Pattern fuer Consent-Cookie-Read + Conditional Tracker-Mount.
+---
+
+# Express — Cookie-Banner Middleware Pattern
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `express` in `package.json`
+- `cookie-parser` Middleware
+- `app.use(...)` Mount-Pattern in `app.ts` / `server.ts` / `index.js`
+- Optional: Server-rendered Views (Pug/EJS/Handlebars) mit Banner-Component
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- `cookie-parser` setzt keine `Secure;HttpOnly;SameSite`-Defaults
+- Kein zentrales Consent-Validation-Middleware → Tracker laeuft via Hardcoded-Routes
+- `app.use(express.static('public'))` cached HTML mit hardcoded Tracker-Tags
+- Headers wie `X-Powered-By: Express` leaken Stack-Info
+- Default-Logger (morgan) loggt volle IPs
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Tracker im Static-HTML hardcoded | § 25 TDDDG | KRITISCH | Server-Side-Render mit Consent-Pruefung |
+| Consent-Cookie ohne `Secure;SameSite` | Art. 32 DSGVO | HOCH | `cookie.set` mit Flags |
+| Klartext-IP in morgan-Log | Art. 5 lit. f | HOCH | Custom IP-Hash-Token |
+| Fehlendes `helmet` → keine Security-Headers | Art. 32 DSGVO | KRITISCH | `helmet()` Middleware |
+| `X-Powered-By: Express` Header | Art. 25 DSGVO Privacy-by-Design | NIEDRIG | `app.disable('x-powered-by')` |
+
+## Code-Pattern (sanitized)
+
+```typescript
+// File: src/middleware/consent.ts
+import type { Request, Response, NextFunction } from 'express';
+
+export type Consent = {
+  necessary: true;
+  analytics: boolean;
+  marketing: boolean;
+  timestamp?: string;
+  version: string;
+};
+
+declare global {
+  namespace Express {
+    interface Request {
+      consent: Consent;
+    }
+  }
+}
+
+const defaultConsent: Consent = {
+  necessary: true,
+  analytics: false,
+  marketing: false,
+  version: '1.0',
+};
+
+export function consentMiddleware(req: Request, _res: Response, next: NextFunction) {
+  const raw = req.cookies?.['cookie-consent'];
+  if (!raw) {
+    req.consent = { ...defaultConsent };
+    return next();
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    req.consent = { ...defaultConsent, ...parsed };
+  } catch {
+    req.consent = { ...defaultConsent };
+  }
+  next();
+}
+
+export function requireAnalyticsConsent(req: Request, res: Response, next: NextFunction) {
+  if (!req.consent.analytics) {
+    return res.status(204).json({ blocked: 'analytics-opt-out' });
+  }
+  next();
+}
+```
+
+```typescript
+// File: src/routes/consent.ts
+import { Router } from 'express';
+import crypto from 'node:crypto';
+
+const router = Router();
+
+router.post('/api/consent-log', async (req, res) => {
+  const consent = req.body;
+  if (!consent || typeof consent.analytics !== 'boolean') {
+    return res.status(400).json({ error: 'invalid payload' });
+  }
+
+  const ip = req.headers['x-forwarded-for']?.toString().split(',')[0]?.trim()
+    ?? req.socket.remoteAddress
+    ?? '';
+  const ipHash = crypto
+    .createHash('sha256')
+    .update(ip + (process.env.IP_HASH_SALT ?? ''))
+    .digest('hex')
+    .slice(0, 16);
+
+  // Persist via DB-Layer (Pseudo-Code)
+  await req.app.locals.db.consentLog.create({
+    data: {
+      ipHash,
+      userAgent: req.headers['user-agent']?.slice(0, 200) ?? '',
+      consent: JSON.stringify(consent),
+      timestamp: new Date(),
+    },
+  });
+
+  // Set Cookie mit allen Security-Flags
+  res.cookie('cookie-consent', JSON.stringify({ ...consent, timestamp: new Date().toISOString() }), {
+    httpOnly: false,  // Banner-JS muss lesen koennen
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: 12 * 30 * 24 * 60 * 60 * 1000,  // 12 Monate
+    path: '/',
+  });
+
+  res.status(204).end();
+});
+
+export default router;
+```
+
+```typescript
+// File: src/app.ts
+import express from 'express';
+import cookieParser from 'cookie-parser';
+import helmet from 'helmet';
+import morgan from 'morgan';
+import { consentMiddleware, requireAnalyticsConsent } from './middleware/consent';
+import consentRoutes from './routes/consent';
+
+const app = express();
+
+// Security
+app.disable('x-powered-by');
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "https://<placeholder-eu-analytics-host>"],
+      connectSrc: ["'self'", "https://<placeholder-eu-analytics-host>"],
+      imgSrc: ["'self'", 'data:'],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+    },
+  },
+}));
+
+// Body + Cookies
+app.use(express.json({ limit: '100kb' }));
+app.use(cookieParser());
+app.use(consentMiddleware);
+
+// IP-anonymisiertes Logging (custom morgan-token)
+morgan.token('ipHash', (req) => {
+  const ip = req.headers['x-forwarded-for']?.toString().split(',')[0]?.trim()
+    ?? req.socket.remoteAddress ?? '';
+  return require('crypto').createHash('sha256').update(ip).digest('hex').slice(0, 8);
+});
+app.use(morgan(':ipHash :method :url :status :response-time ms'));
+
+// Routes
+app.use(consentRoutes);
+app.post('/api/track', requireAnalyticsConsent, async (req, res) => {
+  // ... Tracker-Forward-Logic
+  res.status(204).end();
+});
+
+export default app;
+```
+
+## AVV / DPA
+
+- Hosting-Provider — Art. 28 DSGVO
+- Datenbank-Provider (Postgres-Cloud / Mongo-Atlas EU) — AVV
+- Logging-Provider (sofern extern) — AVV mit IP-Hash-Garantie
+- Reverse-Proxy (Cloudflare / Fastly EU) — AVV
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Server-Logs
+
+Beim Aufruf dieser Webseite werden technische Daten in Server-Logs erfasst:
+
+- Hash der IP-Adresse (SHA-256, gekuerzt auf 8 Zeichen)
+- Zeitstempel des Aufrufs
+- HTTP-Methode und URL
+- HTTP-Statuscode
+- Antwortzeit (ms)
+- User-Agent (max. 200 Zeichen)
+
+**Rechtsgrundlage:** Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse an
+sicherem Webseitenbetrieb).
+**Speicherdauer:** 14 Tage, danach automatische Loeschung.
+**Hinweis:** Die volle IP-Adresse wird zu keinem Zeitpunkt gespeichert.
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. X-Powered-By NICHT vorhanden
+curl -sI https://<placeholder-domain>/ | grep -i "x-powered-by"
+# Erwartung: leer
+
+# 2. helmet-Headers
+curl -sI https://<placeholder-domain>/ | grep -iE "x-content-type-options|x-frame-options|strict-transport-security"
+# Erwartung: 3 Treffer
+
+# 3. Tracker-Endpoint blockt ohne Consent
+curl -X POST https://<placeholder-domain>/api/track -i
+# Erwartung: 204 mit "blocked":"analytics-opt-out"
+
+# 4. Consent-Cookie mit Secure-Flags
+curl -X POST https://<placeholder-domain>/api/consent-log \
+  -H "Content-Type: application/json" \
+  -d '{"necessary":true,"analytics":false,"marketing":false}' -i
+# Erwartung: Set-Cookie: cookie-consent=...; SameSite=Lax; Path=/; HttpOnly nein; Secure ja
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `cookie-flags-checker.ts`, `helmet-config-checker.ts`, `morgan-pii-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 32 (Sicherheit), § 25 TDDDG
+- BGH-Rechtsprechung: `references/bgh-urteile.md` BGH I ZR 7/16
+- Audit-Pattern: `references/audit-patterns.md` Phase 6 (Server-Side-Logs)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/express/gdpr-routes-pattern.md

@@ -0,0 +1,256 @@
+---
+license: MIT (snippet)
+provider: Express.js (Open-Source)
+last-checked: 2026-05-05
+purpose: Standard-DSGVO-Routes (Auskunft, Loeschung, Datenuebertragbarkeit) im Express-Stack.
+---
+
+# Express — DSGVO-Routes Pattern
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `express` mit User-Authentifizierung (Sessions / JWT)
+- Datenbank-Layer mit User-Tabellen
+- Optional: Job-Queue (BullMQ / Agenda) fuer asynchrone Auskunfts-Generierung
+- Optional: Mailer-Service fuer Antwort-Versand
+
+DSGVO-Pflicht-Endpoints (typisch):
+- `POST /api/gdpr/auskunft` (Art. 15)
+- `POST /api/gdpr/loeschen` (Art. 17)
+- `POST /api/gdpr/portabilitaet` (Art. 20)
+- `POST /api/gdpr/berichtigung` (Art. 16)
+- `POST /api/gdpr/widerspruch` (Art. 21)
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- DSGVO-Anfragen kommen per E-Mail an Support → manuelle Bearbeitung
+- Keine Log-Spur fuer Compliance-Nachweis (Art. 5 Abs. 2 Rechenschaftspflicht)
+- Loeschungen oft unvollstaendig (Backups, Logs, Search-Indexes uebersehen)
+- Auskunft als Word-Dokument zusammenkopiert → Drift, Fehler-Quote hoch
+- Keine Identitaets-Verifizierung → Account-Takeover-Vektor
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| Antwortfrist 1 Monat verpasst | Art. 12 Abs. 3 DSGVO | KRITISCH | Job-Queue + Cron-Watchdog |
+| Auskunft unvollstaendig (Backup-Daten fehlen) | Art. 15 DSGVO | HOCH | Multi-Source-Aggregator |
+| Loeschung verfehlt Search-Index | Art. 17 DSGVO | HOCH | Index-Sync-Worker im gleichen Job |
+| Identitaet nicht verifiziert | Art. 12 Abs. 6 DSGVO | KRITISCH | E-Mail-Bestaetigung + Session-Auth |
+| Antwort an falsche Person (PII-Leak) | Art. 5 lit. f DSGVO | KRITISCH | E-Mail-Match + 2FA-Check |
+| Kein Audit-Log | Art. 5 Abs. 2 DSGVO | HOCH | DB-Tabelle `gdpr_requests` |
+
+## Code-Pattern (sanitized)
+
+```typescript
+// File: src/routes/gdpr.ts
+import { Router } from 'express';
+import { z } from 'zod';
+import { requireAuth } from '../middleware/auth';
+import { gdprQueue } from '../jobs/gdpr-queue';
+
+const router = Router();
+
+const auskunftSchema = z.object({
+  email: z.string().email(),
+  format: z.enum(['json', 'pdf']).default('json'),
+});
+
+router.post('/api/gdpr/auskunft', requireAuth, async (req, res) => {
+  const parsed = auskunftSchema.safeParse(req.body);
+  if (!parsed.success) {
+    return res.status(400).json({ error: parsed.error.flatten() });
+  }
+
+  // Identitaets-Check: angefragte E-Mail muss Session-User entsprechen
+  if (parsed.data.email.toLowerCase() !== req.user.email.toLowerCase()) {
+    return res.status(403).json({ error: 'Identitaet nicht bestaetigt' });
+  }
+
+  // Audit-Log: Request registrieren
+  const request = await req.app.locals.db.gdprRequest.create({
+    data: {
+      userId: req.user.id,
+      type: 'AUSKUNFT',
+      status: 'PENDING',
+      requestedAt: new Date(),
+      requestedFormat: parsed.data.format,
+    },
+  });
+
+  // Async-Job fuer Aggregation queuen
+  await gdprQueue.add('auskunft', {
+    requestId: request.id,
+    userId: req.user.id,
+    format: parsed.data.format,
+  });
+
+  res.status(202).json({
+    requestId: request.id,
+    status: 'PENDING',
+    expectedResponseTime: '14 Tage (max. 1 Monat per Art. 12 DSGVO)',
+  });
+});
+
+router.post('/api/gdpr/loeschen', requireAuth, async (req, res) => {
+  const reason = z.string().max(500).optional().parse(req.body.reason);
+
+  // Soft-Delete sofort, Hard-Delete via Job
+  await req.app.locals.db.user.update({
+    where: { id: req.user.id },
+    data: {
+      deletedAt: new Date(),
+      deletionReason: reason ?? null,
+      // PII-Felder sofort ueberschreiben
+      email: `deleted-${req.user.id}@<placeholder-domain>`,
+      name: 'GELOESCHT',
+    },
+  });
+
+  await gdprQueue.add('hard-delete', { userId: req.user.id }, { delay: 30 * 24 * 60 * 60 * 1000 });
+
+  // Logout
+  req.session?.destroy(() => {});
+
+  res.status(202).json({
+    status: 'PENDING_HARD_DELETE',
+    softDeletedAt: new Date().toISOString(),
+    hardDeleteScheduled: 'in 30 Tagen (Widerruf-Frist)',
+  });
+});
+
+router.post('/api/gdpr/portabilitaet', requireAuth, async (req, res) => {
+  // Aehnlich Auskunft, aber zusaetzlich strukturiertes/maschinenlesbares Format
+  const request = await req.app.locals.db.gdprRequest.create({
+    data: {
+      userId: req.user.id,
+      type: 'PORTABILITAET',
+      status: 'PENDING',
+      requestedAt: new Date(),
+      requestedFormat: 'json',
+    },
+  });
+
+  await gdprQueue.add('portability-export', { requestId: request.id, userId: req.user.id });
+
+  res.status(202).json({ requestId: request.id });
+});
+
+router.post('/api/gdpr/widerspruch', requireAuth, async (req, res) => {
+  const scope = z.enum(['marketing', 'analytics', 'profiling', 'all']).parse(req.body.scope);
+
+  await req.app.locals.db.user.update({
+    where: { id: req.user.id },
+    data: {
+      consentMarketing: scope === 'marketing' || scope === 'all' ? false : undefined,
+      consentAnalytics: scope === 'analytics' || scope === 'all' ? false : undefined,
+      consentProfiling: scope === 'profiling' || scope === 'all' ? false : undefined,
+      objectionLoggedAt: new Date(),
+    },
+  });
+
+  res.status(204).end();
+});
+
+export default router;
+```
+
+```typescript
+// File: src/jobs/gdpr-queue.ts
+import { Queue, Worker } from 'bullmq';
+
+export const gdprQueue = new Queue('gdpr', {
+  connection: { host: process.env.REDIS_HOST, port: 6379 },
+});
+
+new Worker('gdpr', async (job) => {
+  switch (job.name) {
+    case 'auskunft':
+      await aggregateUserData(job.data.userId, job.data.requestId);
+      break;
+    case 'hard-delete':
+      await hardDeleteUser(job.data.userId);
+      break;
+    case 'portability-export':
+      await exportPortabilityData(job.data.userId, job.data.requestId);
+      break;
+  }
+}, { connection: { host: process.env.REDIS_HOST, port: 6379 } });
+
+async function aggregateUserData(_userId: string, _requestId: string) {
+  // Pflicht-Quellen: User-DB, Orders, Logs, Backups, Search-Index, S3-Uploads
+  // Generiere JSON/PDF, hashe als Beweis, sende per E-Mail mit signed Link
+}
+
+async function hardDeleteUser(_userId: string) {
+  // Pflicht-Targets: alle Tabellen, Search-Indexes, S3-Files, Backups (gem. Backup-Policy)
+}
+
+async function exportPortabilityData(_userId: string, _requestId: string) {
+  // Strukturiert + maschinenlesbar (JSON, optional CSV)
+}
+```
+
+## AVV / DPA
+
+- Datenbank-Provider — AVV
+- Job-Queue (Redis Cloud / Upstash EU) — AVV
+- Mailer (SES EU / Postmark / Resend EU) — AVV
+- File-Storage (S3 EU / Bunny CDN) fuer Auskunfts-Exports — AVV mit signed-URL-Pflicht
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Ihre Rechte als betroffene Person
+
+Sie koennen jederzeit folgende Rechte ausueben — eingeloggt unter
+[Ihre Daten](#account-data) oder per E-Mail an <placeholder-email>:
+
+| Recht | Endpoint | Antwortzeit |
+|---|---|---|
+| Auskunft (Art. 15) | `/api/gdpr/auskunft` | max. 1 Monat |
+| Berichtigung (Art. 16) | `/api/gdpr/berichtigung` | max. 1 Monat |
+| Loeschung (Art. 17) | `/api/gdpr/loeschen` | sofort (Soft) + 30T (Hard) |
+| Datenuebertragbarkeit (Art. 20) | `/api/gdpr/portabilitaet` | max. 1 Monat |
+| Widerspruch (Art. 21) | `/api/gdpr/widerspruch` | sofort |
+
+**Identitaets-Verifizierung:** Anfragen werden nur aus eingeloggter Session
+ausgefuehrt. Bei E-Mail-Anfragen bestaetigen wir Ihre Identitaet via
+Confirm-Link an die hinterlegte E-Mail-Adresse.
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. Auskunft-Endpoint erfordert Auth
+curl -X POST https://<placeholder-domain>/api/gdpr/auskunft \
+  -H "Content-Type: application/json" \
+  -d '{"email":"test@example.com","format":"json"}' -i
+# Erwartung: 401 / 403
+
+# 2. Mit Auth: 202 + RequestId
+curl -X POST https://<placeholder-domain>/api/gdpr/auskunft \
+  -H "Content-Type: application/json" \
+  -H "Cookie: session=<placeholder-session>" \
+  -d '{"email":"<placeholder-user-email>","format":"json"}' -i
+# Erwartung: 202 mit { requestId, status: "PENDING" }
+
+# 3. Cross-User-Zugriff verhindert
+curl -X POST https://<placeholder-domain>/api/gdpr/auskunft \
+  -H "Content-Type: application/json" \
+  -H "Cookie: session=<placeholder-session>" \
+  -d '{"email":"OTHER-USER@example.com","format":"json"}' -i
+# Erwartung: 403 "Identitaet nicht bestaetigt"
+
+# 4. Audit-Log-Pruefung (DB-Query)
+# SELECT COUNT(*) FROM gdpr_requests WHERE userId = '<id>' AND created_at > now() - interval '24h';
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `gdpr-routes-checker.ts`, `auth-flow-checker.ts`, `tenant-isolation-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 12-22 (Betroffenenrechte)
+- BGH-Rechtsprechung: `references/bgh-urteile.md`
+- EuGH-Rechtsprechung: `references/eu-eugh-dsgvo-schadensersatz.md`
+- Audit-Pattern: `references/audit-patterns.md` Phase 8 (Betroffenenrechte-Test)

package/skills/compliance/aegis-native/brutaler-anwalt/references/stack-patterns/express/helmet-csp-pattern.md

@@ -0,0 +1,207 @@
+---
+license: MIT (snippet)
+provider: Express + helmet (Open-Source)
+last-checked: 2026-05-05
+purpose: Helmet-Integration fuer CSP + Cookie-Settings + DSGVO-konforme Security-Headers.
+---
+
+# Express — Helmet-CSP Pattern (DSGVO-konform)
+
+## Trigger / Detection
+
+Repo enthaelt:
+- `helmet` in `package.json`
+- `app.use(helmet(...))` in `app.ts` / `server.ts`
+- Optional: `nonce`-Generierung via `crypto.randomBytes`
+- Optional: `report-uri` / `report-to` fuer CSP-Violations
+
+## Default-Verhalten (was passiert ohne Konfiguration)
+
+- `helmet()` ohne Options aktiviert konservative Defaults, ABER:
+  - CSP-Default ist `default-src 'self'` → blockiert alle Tracker/CDN-Resources OHNE Whitelisting
+  - `Cross-Origin-Embedder-Policy: require-corp` blockiert externes Embedding
+  - `Strict-Transport-Security` wird mit konservativem Max-Age gesetzt
+- Ohne `helmet`: keine Security-Headers, alle XSS/Clickjacking-Vektoren offen
+- CSP-Violations gehen in Console, kein Server-Side-Reporting
+
+## Compliance-Risiken
+
+| Risiko | Norm | Severity | Fix |
+|---|---|---|---|
+| CSP fehlt → XSS-Vektor | Art. 32 DSGVO | KRITISCH | `contentSecurityPolicy` mit explizitem Allowlist |
+| Inline-Scripts ohne nonce | Art. 32 DSGVO | HOCH | Nonce-Pattern oder hash-based |
+| Tracker-Hosts in CSP allowlisted ohne Consent | § 25 TDDDG | MITTEL | CSP nur fuer Hosts die NACH Consent geladen werden |
+| HSTS mit kurzem max-age | Art. 32 DSGVO | MITTEL | `maxAge: 31536000` + `includeSubDomains` |
+| `Permissions-Policy` fehlt | DSGVO Art. 25 | NIEDRIG | Geo/Cam/Mic auf `()` setzen |
+
+## Code-Pattern (sanitized)
+
+```typescript
+// File: src/middleware/security.ts
+import helmet from 'helmet';
+import crypto from 'node:crypto';
+import type { Request, Response, NextFunction } from 'express';
+
+// Nonce pro Request fuer CSP
+export function nonceMiddleware(_req: Request, res: Response, next: NextFunction) {
+  res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
+  next();
+}
+
+export function buildHelmet() {
+  return helmet({
+    contentSecurityPolicy: {
+      useDefaults: true,
+      directives: {
+        defaultSrc: ["'self'"],
+        scriptSrc: [
+          "'self'",
+          // Nonce muss vom Server pro Request gerendered werden
+          (_req: Request, res: Response) => `'nonce-${(res as any).locals.cspNonce}'`,
+          'https://<placeholder-eu-analytics-host>',
+        ],
+        connectSrc: [
+          "'self'",
+          'https://<placeholder-eu-analytics-host>',
+          'https://<placeholder-eu-error-tracking-host>',
+        ],
+        imgSrc: ["'self'", 'data:', 'https://<placeholder-eu-image-cdn>'],
+        styleSrc: ["'self'", "'unsafe-inline'"],  // Tailwind etc.
+        fontSrc: ["'self'", 'https://<placeholder-eu-font-cdn>'],
+        frameAncestors: ["'none'"],
+        formAction: ["'self'"],
+        baseUri: ["'self'"],
+        objectSrc: ["'none'"],
+        upgradeInsecureRequests: [],
+        reportUri: ['/api/csp-report'],
+      },
+    },
+    crossOriginEmbedderPolicy: false,  // bei externer Image-Einbettung
+    strictTransportSecurity: {
+      maxAge: 31536000,  // 1 Jahr
+      includeSubDomains: true,
+      preload: true,
+    },
+    referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+    xssFilter: true,
+  });
+}
+```
+
+```typescript
+// File: src/routes/csp-report.ts
+import { Router } from 'express';
+import express from 'express';
+
+const router = Router();
+
+// CSP-Reports kommen mit application/csp-report content-type
+router.post('/api/csp-report', express.json({ type: 'application/csp-report' }), async (req, res) => {
+  const report = req.body['csp-report'] ?? req.body;
+
+  // Logge nur sanitized Daten — kein User-PII
+  console.warn('[CSP-VIOLATION]', {
+    documentUri: report['document-uri'],
+    blockedUri: report['blocked-uri'],
+    violatedDirective: report['violated-directive'],
+    sourceFile: report['source-file'],
+    timestamp: new Date().toISOString(),
+  });
+
+  // Optional: Persist in DB fuer Auswertung
+  // await req.app.locals.db.cspReport.create({ data: { ...report } });
+
+  res.status(204).end();
+});
+
+export default router;
+```
+
+```typescript
+// File: src/views/layout.ejs (oder Pug/Handlebars-Equivalent)
+// <html>
+//   <head>
+//     <script nonce="<%= cspNonce %>">
+//       window.__CSP_NONCE__ = '<%= cspNonce %>';
+//     </script>
+//   </head>
+// </html>
+```
+
+```typescript
+// File: src/app.ts
+import express from 'express';
+import { nonceMiddleware, buildHelmet } from './middleware/security';
+import cspReportRoutes from './routes/csp-report';
+
+const app = express();
+
+// Order matters: nonce VOR helmet
+app.use(nonceMiddleware);
+app.use(buildHelmet());
+
+// Body-Parser fuer normale Routes
+app.use(express.json({ limit: '100kb' }));
+
+// CSP-Report-Endpoint
+app.use(cspReportRoutes);
+
+// ... weitere Routes
+export default app;
+```
+
+## AVV / DPA
+
+- Hosting-Provider — Art. 28 DSGVO
+- CSP-Report-Logging-Provider (z.B. Sentry CSP) — AVV
+- ALLE Hosts in CSP-Allowlist sind potentielle Auftragsverarbeiter und MUESSEN
+  in DSE-Section "Auftragsverarbeiter" gelistet sein
+
+## DSE-Wording-Vorlage
+
+```markdown
+### Sicherheits-Massnahmen (technisch)
+
+Wir setzen folgende technische Schutzmassnahmen ein:
+
+- **Content-Security-Policy (CSP):** Strikte Allowlist erlaubter Quellen
+  fuer Skripte, Bilder, Fonts. Verhindert XSS-Angriffe.
+- **HTTP Strict Transport Security (HSTS):** Erzwingt HTTPS-Verbindungen.
+  Max-Age: 1 Jahr.
+- **CSP-Violation-Reports:** Verstoesse werden anonymisiert (ohne IP/User-PII)
+  protokolliert zur Sicherheits-Auswertung.
+
+**Rechtsgrundlage:** Art. 32 DSGVO (Sicherheit der Verarbeitung) i.V.m.
+Art. 6 Abs. 1 lit. f DSGVO.
+**Speicherdauer CSP-Reports:** 30 Tage, ausschliesslich technische
+Auswertung, kein Bezug zu Einzelpersonen.
+```
+
+## Verify-Commands (Live-Probe)
+
+```bash
+# 1. CSP-Header gesetzt
+curl -sI https://<placeholder-domain>/ | grep -i "content-security-policy"
+# Erwartung: lange Policy-String mit default-src, script-src etc.
+
+# 2. HSTS mit korrektem Max-Age
+curl -sI https://<placeholder-domain>/ | grep -i "strict-transport-security"
+# Erwartung: max-age=31536000; includeSubDomains; preload
+
+# 3. CSP-Report-Endpoint funktioniert
+curl -X POST https://<placeholder-domain>/api/csp-report \
+  -H "Content-Type: application/csp-report" \
+  -d '{"csp-report":{"document-uri":"https://<placeholder-domain>/","violated-directive":"script-src"}}' -i
+# Erwartung: 204
+
+# 4. observatory.mozilla.org-Score
+# Browse zu https://observatory.mozilla.org/analyze/<placeholder-domain>
+# Erwartung: Score >= A
+```
+
+## Cross-References
+
+- AEGIS-Scanner: `csp-config-checker.ts`, `hsts-checker.ts`, `helmet-config-checker.ts`
+- Skill-Reference: `references/dsgvo.md` Art. 32 (Sicherheit), Art. 25 (Privacy-by-Design)
+- BSI-Grundschutz: SYS.1.1 Allgemeiner Server
+- Audit-Pattern: `references/audit-patterns.md` Phase 7 (Security-Header-Audit)