fix: Gitea Traefik routing and connection pool optimization

- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de

docs/modules/security.md

@@ -0,0 +1,382 @@
+# Security Module
+
+**Security Utilities: CSRF, XSS Protection, and CSP Helpers**
+
+The Security Module provides comprehensive security utilities for client-side security management.
+
+---
+
+## Features
+
+- **CSRF Token Management** - Automatic token refresh and management
+- **XSS Protection** - HTML sanitization and input validation
+- **Content Security Policy** - CSP validation and helpers
+- **Security Headers Validation** - Client-side security header checks
+
+---
+
+## Quick Start
+
+### Basic Usage
+
+```javascript
+import { SecurityManager } from './modules/security/index.js';
+
+// Create security manager
+const security = SecurityManager.create({
+    csrf: {
+        autoRefresh: true,
+        refreshInterval: 30 * 60 * 1000 // 30 minutes
+    },
+    xss: {
+        enabled: true,
+        sanitizeOnInput: false
+    }
+});
+
+// Get CSRF token
+const token = security.getCsrfToken();
+
+// Use in fetch request
+const response = await fetch('/api/endpoint', {
+    method: 'POST',
+    headers: {
+        ...security.getCsrfTokenHeader(),
+        'Content-Type': 'application/json'
+    },
+    body: JSON.stringify(data)
+});
+```
+
+### Module System Integration
+
+```html
+<!-- Enable global security manager -->
+<script type="module">
+    import { init } from './modules/security/index.js';
+    
+    init({
+        csrf: {
+            autoRefresh: true
+        }
+    });
+</script>
+
+<!-- Access globally -->
+<script>
+    // Get CSRF token
+    const token = window.SecurityManager.getCsrfToken();
+    
+    // Refresh token
+    await window.SecurityManager.refreshCsrfToken();
+</script>
+```
+
+---
+
+## API Reference
+
+### SecurityManager.create(config)
+
+Create a new SecurityManager instance.
+
+**Parameters**:
+- `config.csrf` - CSRF manager configuration
+- `config.xss` - XSS protection configuration
+- `config.csp` - CSP configuration
+
+**Example**:
+```javascript
+const security = SecurityManager.create({
+    csrf: {
+        tokenName: '_token',
+        headerName: 'X-CSRF-TOKEN',
+        autoRefresh: true,
+        refreshInterval: 30 * 60 * 1000
+    },
+    xss: {
+        enabled: true,
+        sanitizeOnInput: false
+    }
+});
+```
+
+### security.getCsrfToken()
+
+Get current CSRF token.
+
+**Returns**: `string | null`
+
+### security.getCsrfTokenHeader()
+
+Get CSRF token header object for use in fetch requests.
+
+**Returns**: `Record<string, string>`
+
+**Example**:
+```javascript
+const headers = {
+    ...security.getCsrfTokenHeader(),
+    'Content-Type': 'application/json'
+};
+```
+
+### security.refreshCsrfToken()
+
+Manually refresh CSRF token.
+
+**Returns**: `Promise<void>`
+
+### security.escapeHtml(text)
+
+Escape HTML to prevent XSS.
+
+**Parameters**:
+- `text` - Text to escape
+
+**Returns**: `string`
+
+**Example**:
+```javascript
+const safe = security.escapeHtml('<script>alert("xss")</script>');
+// Returns: &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;
+```
+
+### security.validateUrl(url)
+
+Validate URL to prevent XSS.
+
+**Parameters**:
+- `url` - URL to validate
+
+**Returns**: `boolean`
+
+**Example**:
+```javascript
+if (security.validateUrl(userInput)) {
+    // Safe to use
+} else {
+    // Potentially dangerous
+}
+```
+
+### security.validateSecurityHeaders()
+
+Validate security headers.
+
+**Returns**: `SecurityHeadersValidation`
+
+**Example**:
+```javascript
+const validation = security.validateSecurityHeaders();
+if (!validation.valid) {
+    console.warn('Security issues:', validation.issues);
+}
+```
+
+---
+
+## CSRF Token Management
+
+### Automatic Token Refresh
+
+```javascript
+const security = SecurityManager.create({
+    csrf: {
+        autoRefresh: true,
+        refreshInterval: 30 * 60 * 1000 // Refresh every 30 minutes
+    }
+});
+```
+
+### Manual Token Refresh
+
+```javascript
+await security.refreshCsrfToken();
+```
+
+### Using Token in Requests
+
+```javascript
+// Get token header
+const headers = security.getCsrfTokenHeader();
+
+// Use in fetch
+const response = await fetch('/api/endpoint', {
+    method: 'POST',
+    headers: {
+        ...headers,
+        'Content-Type': 'application/json'
+    },
+    body: JSON.stringify(data)
+});
+```
+
+---
+
+## XSS Protection
+
+### HTML Sanitization
+
+```javascript
+const security = SecurityManager.create({
+    xss: {
+        enabled: true,
+        sanitizeOnInput: true // Auto-sanitize on input
+    }
+});
+
+// Manual sanitization
+const safe = security.sanitizeHtml(userInput);
+```
+
+### HTML Escaping
+
+```javascript
+const escaped = security.escapeHtml('<script>alert("xss")</script>');
+```
+
+### URL Validation
+
+```javascript
+if (security.validateUrl(userInput)) {
+    // Safe URL
+    window.location.href = userInput;
+} else {
+    // Potentially dangerous
+    console.error('Invalid URL');
+}
+```
+
+---
+
+## Content Security Policy
+
+### CSP Validation
+
+```javascript
+const security = SecurityManager.create({
+    csp: {
+        enabled: true
+    }
+});
+
+// CSP is automatically validated on init
+// Check validation results
+const validation = security.validateSecurityHeaders();
+```
+
+---
+
+## Integration with LiveComponents
+
+```javascript
+import { SecurityManager } from './modules/security/index.js';
+import { LiveComponentManager } from './modules/livecomponent/index.js';
+
+const security = SecurityManager.create();
+
+// LiveComponents automatically use CSRF tokens
+// But you can also manually update tokens
+security.csrfManager.updateAllTokens();
+```
+
+---
+
+## Integration with Forms
+
+```javascript
+import { SecurityManager } from './modules/security/index.js';
+
+const security = SecurityManager.create();
+
+// Forms automatically get updated CSRF tokens
+// Listen for token refresh events
+window.addEventListener('csrf:token-refreshed', (event) => {
+    console.log('CSRF token refreshed:', event.detail.token);
+});
+```
+
+---
+
+## Use Cases
+
+### API Requests with CSRF
+
+```javascript
+const security = SecurityManager.create();
+
+async function apiCall(url, data) {
+    const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+            ...security.getCsrfTokenHeader(),
+            'Content-Type': 'application/json'
+        },
+        body: JSON.stringify(data)
+    });
+    
+    return response.json();
+}
+```
+
+### User Input Sanitization
+
+```javascript
+const security = SecurityManager.create();
+
+function handleUserInput(input) {
+    // Sanitize HTML
+    const sanitized = security.sanitizeHtml(input);
+    
+    // Escape for display
+    const escaped = security.escapeHtml(input);
+    
+    // Validate URL
+    if (security.validateUrl(input)) {
+        // Safe to use as URL
+    }
+}
+```
+
+### Security Headers Check
+
+```javascript
+const security = SecurityManager.create();
+
+// Validate security headers
+const validation = security.validateSecurityHeaders();
+if (!validation.valid) {
+    console.warn('Security issues detected:', validation.issues);
+    // Report to backend or show warning
+}
+```
+
+---
+
+## Best Practices
+
+1. **Always Use CSRF Tokens** - Include CSRF tokens in all state-changing requests
+2. **Sanitize User Input** - Sanitize HTML before displaying user content
+3. **Validate URLs** - Always validate URLs before using them
+4. **Enable Auto-Refresh** - Keep CSRF tokens fresh with auto-refresh
+5. **Check Security Headers** - Validate security headers in development
+
+---
+
+## Browser Support
+
+- **Chrome/Edge**: 90+
+- **Firefox**: 88+
+- **Safari**: 14+
+- **Mobile**: iOS 14+, Android Chrome 90+
+
+**Required Features**:
+- ES2020 JavaScript
+- Fetch API
+- CustomEvent support
+
+---
+
+**Next**: [Cache Manager Module](cache-manager.md) →
+