From 712b8477b9aeb9a71f42269db7b83c8e0fbbf193 Mon Sep 17 00:00:00 2001
From: "matthias.lotz" <matthias.lotz@hobbyhimmel.de>
Date: Tue, 25 Nov 2025 20:26:59 +0100
Subject: [PATCH] feat: Implement public/internal host separation

Backend:
- Add hostGate middleware for host-based API protection
- Extend rate limiter with publicUploadLimiter (20/hour)
- Add source_host and source_type to audit logs
- Database migration for audit log source tracking
- Unit tests for hostGate middleware (10/20 passing)

Frontend:
- Add hostDetection utility for runtime host detection
- Implement React code splitting with lazy loading
- Update App.js with ProtectedRoute component
- Customize 404 page for public vs internal hosts
- Update env-config.js for host configuration

Docker:
- Add environment variables to prod/dev docker-compose
- Configure ENABLE_HOST_RESTRICTION flags
- Set PUBLIC_HOST and INTERNAL_HOST variables

Infrastructure:
- Prepared for nginx-proxy-manager setup
- Trust proxy configuration (TRUST_PROXY_HOPS=1)

Note: Some unit tests still need adjustment for ENV handling
---
 .../FEATURE_REQUEST-FrontendPublic.md         |  23 +-
 .../009_add_audit_log_source_tracking.sql     |  11 +
 backend/src/middlewares/auditLog.js           |   6 +-
 backend/src/middlewares/hostGate.js           |  97 ++++++
 backend/src/middlewares/index.js              |   3 +
 backend/src/middlewares/rateLimiter.js        |  63 +++-
 .../ManagementAuditLogRepository.js           |  60 +++-
 backend/src/routes/upload.js                  |   3 +-
 backend/src/server.js                         |  11 +-
 .../tests/unit/middlewares/hostGate.test.js   | 276 ++++++++++++++++++
 docker/dev/docker-compose.yml                 |   5 +
 docker/prod/docker-compose.yml                |  10 +
 frontend/.env.example                         |   4 +
 frontend/src/App.js                           | 120 ++++++--
 frontend/src/Components/Pages/404Page.js      |  39 ++-
 frontend/src/Utils/hostDetection.js           |  94 ++++++
 16 files changed, 772 insertions(+), 53 deletions(-)
 create mode 100644 backend/src/database/migrations/009_add_audit_log_source_tracking.sql
 create mode 100644 backend/src/middlewares/hostGate.js
 create mode 100644 backend/tests/unit/middlewares/hostGate.test.js
 create mode 100644 frontend/src/Utils/hostDetection.js

diff --git a/FeatureRequests/FEATURE_REQUEST-FrontendPublic.md b/FeatureRequests/FEATURE_REQUEST-FrontendPublic.md
index 2d1731a..fa1d20e 100644
--- a/FeatureRequests/FEATURE_REQUEST-FrontendPublic.md
+++ b/FeatureRequests/FEATURE_REQUEST-FrontendPublic.md
@@ -11,15 +11,14 @@ Es soll unterschieden werden, welche Funktionen der App abhängig von der aufger
 - `deinprojekt.meindomain.de` (extern erreichbar): Nur Uploads und das Editieren via zugewiesenem Link (Management-UUID) sollen möglich sein. Keine Moderations-, Gruppen- oder Slideshow-Funktionen sichtbar oder nutzbar.
 - `deinprojekt.lan.meindomain.de` (Intranet): Vollständige Funktionalität (Slideshow, Groupsview, Moderation, Admin-Endpunkte) sowie volle Navigation/Buttons im Frontend.
 
-Die Anwendung läuft in Docker auf einem Ubuntu-Server, vorgeschaltet ist ein `nginx-proxy-manager`. Die Domain `*.lan.meindomain.de` ist nur intern erreichbar und besitzt ein gültiges SSL-Zertifikat für das Intranet.
+Die Anwendung läuft in Docker auf einem Ubuntu-Server, vorgeschaltet ist ein `nginx-proxy-manager`. Die Domain `*.lan.meindomain.de` ist nur intern erreichbar und besitzt ein gültiges SSL-Zertifikat für das Intranet (dns challenge letsencrypt).
 
-Es wäre optional möglich, das public-Frontend extern zu hosten und nur die entsprechenden API-Endpunkte öffentlich verfügbar zu machen.
 
 ## Ziele
 
-- Sicherheit: Admin-/Moderations-Funktionalität niemals über die öffentliche Subdomain erreichbar machen.
-- UX: Im öffentlichen (externen) Kontext nur die Upload-Experience sichtbar und bedienbar.
-- Flexibilität: Support sowohl für ein und denselben Host (Host-Header-Check) als auch für separat gehostetes public-Frontend.
+- Sicherheit: Slideshow, Groupview und Admin-/Moderations-Funktionalität niemals über die öffentliche Subdomain erreichbar machen.
+- UX: Im öffentlichen (externen) Kontext nur die Upload-Experience sichtbar und bedienbar. (die Upload Seite ist bereits so gestalltet, dass keine Menüpunkte sichtbar sind)
+
 
 ## Vorschlag — Technische Umsetzung (hoher Level)
 
@@ -80,23 +79,21 @@ Nach Durchsicht von `README.md`, `README.dev.md`, `CHANGELOG.md` und `AUTHENTICA
 
 1. Domains — exakte Hosts
   - Dokumentation: Platzhalter-Hosts wurden als Beispiele verwendet (z. B. `deinprojekt.meindomain.de` und `deinprojekt.lan.meindomain.de`).
-  - Empfehlung / Bitte bestätigen: Nenne bitte die echten Subdomains, die Dein Deployment verwenden wird. Beispiel‑Antwort reicht: `public.example.com` und `public.lan.example.com`.
+  - Empfehlung / Bitte bestätigen: Nenne bitte die echten Subdomains, die Dein Deployment verwenden wird. Beispiel‑Antwort reicht: `deinprojekt.hobbyhimmel.de` und `deinprojekt.lan.hobbyhimmel.de`.
 
 2. Host-Check vs. zusätzliche Checks
-  - Doku: Admin‑API ist bereits serverseitig per Bearer‑Token (`ADMIN_API_KEY`) geschützt. Management‑API nutzt UUID‑Token mit Rate‑Limits (10 req/h) und Brute‑Force‑Schutz.
+  - Doku: Admin‑API ist bereits serverseitig per Admin Login geschützt. Management‑API nutzt UUID‑Token mit Rate‑Limits (10 req/h) und Brute‑Force‑Schutz.
   - Empfehlung: Primär Host‑Header (`Host` / `X-Forwarded-Host`) prüfen (einfach, zuverlässig). Zusätzlich empfehle ich für Admin‑APIs die Kombination aus Bearer‑Token + Host‑Check (defense in depth). Bitte bestätigen, ob IP‑Whitelist gewünscht ist.
 
-3. Externes Hosting des public‑Frontends
-  - Doku: Assets und Server liegen standardmäßig lokal (backend `src/data/images` / `src/data/previews`). Externes Hosting ist nicht Teil der Standardkonfiguration.
-  - Empfehlung: Behalte Assets intern (Standard). Wenn Du extern hosten willst, müssen CORS, Allowlist und ggf. signierte URLs implementiert werden. Bestätige, ob externes Hosting geplant ist.
+3. Externes Hosting des public‑Frontends -> nicht mehr nötig
 
 4. Management‑UUID (Editieren von extern)
   - Doku: Management‑Tokens sind permanent gültig bis Gruppe gelöscht; Token sind URL‑basiert und Rate‑limited (10 req/h). README zeigt, dass Management‑Portal für Self‑Service gedacht ist und kein zusätzliches network restriction vorgesehen ist.
   - Schlussfolgerung: Editieren per UUID ist technisch erlaubt und im Projekt vorgesehen. Wenn Du das beibehalten willst, ist keine weitere technische Änderung nötig. Falls Du TTL für Tokens möchtest, bitte angeben.
 
 5. Admin‑APIs: Host‑only oder zusätzlich Bearer‑Token?
-  - Doku: Admin APIs sind bereits durch Bearer‑Token geschützt (`ADMIN_API_KEY`).
-  - Empfehlung: Behalte Bearer‑Token als Hauptschutz und ergänze Host‑Restriction (Admin nur intern erreichbar) für zusätzliche Sicherheit. Bitte bestätigen.
+  - ~~Doku: Admin APIs sind bereits durch Bearer‑Token geschützt (`ADMIN_API_KEY`).~~
+  - ~~Empfehlung: Behalte Bearer‑Token als Hauptschutz und ergänze Host‑Restriction (Admin nur intern erreichbar) für zusätzliche Sicherheit. Bitte bestätigen.~~
 
 6. Rate‑Limits / Quotas für public Uploads
   - Doku: Management hat 10 req/h per IP; Upload‑Rate‑Limits für public uploads sind nicht konkret spezifiziert.
@@ -104,7 +101,7 @@ Nach Durchsicht von `README.md`, `README.dev.md`, `CHANGELOG.md` und `AUTHENTICA
 
 7. Logging / Monitoring
   - Doku: Es gibt umfassende Audit-Logs (`management_audit_log`, `deletion_log`).
-  - Empfehlung: Ergänze ein Feld/Label `source_host` oder `source_type` für public vs. internal Uploads für bessere Filterbarkeit. Bestätigen?
+  - Empfehlung: Ergänze ein Feld/Label `source_host` oder `source_type` für public vs. internal Uploads für bessere Filterbarkeit. Bestätigen? Passt!
 
 8. Assets / CDN
   - Doku: Bilder und Previews werden lokal gespeichert; kein CDN-Flow vorhanden. Du hast klargestellt: Bilder sind intern und nur über UUID‑Links zugänglich.
diff --git a/backend/src/database/migrations/009_add_audit_log_source_tracking.sql b/backend/src/database/migrations/009_add_audit_log_source_tracking.sql
new file mode 100644
index 0000000..635a2d1
--- /dev/null
+++ b/backend/src/database/migrations/009_add_audit_log_source_tracking.sql
@@ -0,0 +1,11 @@
+-- Migration 009: Add source tracking to audit log
+-- Adds source_host and source_type columns to management_audit_log
+
+-- Add source_host column (stores the hostname from which request originated)
+ALTER TABLE management_audit_log ADD COLUMN source_host TEXT;
+
+-- Add source_type column (stores 'public' or 'internal')
+ALTER TABLE management_audit_log ADD COLUMN source_type TEXT;
+
+-- Create index for filtering by source_type
+CREATE INDEX IF NOT EXISTS idx_audit_log_source_type ON management_audit_log(source_type);
diff --git a/backend/src/middlewares/auditLog.js b/backend/src/middlewares/auditLog.js
index c3ebfa8..02dccfd 100644
--- a/backend/src/middlewares/auditLog.js
+++ b/backend/src/middlewares/auditLog.js
@@ -14,6 +14,8 @@ const auditLogMiddleware = (req, res, next) => {
     const ipAddress = req.ip || req.connection.remoteAddress || 'unknown';
     const userAgent = req.get('user-agent') || 'unknown';
     const managementToken = req.params.token || null;
+    const sourceHost = req.get('x-forwarded-host') || req.get('host') || 'unknown';
+    const sourceType = req.requestSource || 'unknown';
 
     /**
      * Log-Funktion für Controllers
@@ -33,7 +35,9 @@ const auditLogMiddleware = (req, res, next) => {
                 errorMessage,
                 ipAddress,
                 userAgent,
-                requestData
+                requestData,
+                sourceHost,
+                sourceType
             });
         } catch (error) {
             console.error('Failed to write audit log:', error);
diff --git a/backend/src/middlewares/hostGate.js b/backend/src/middlewares/hostGate.js
new file mode 100644
index 0000000..e915152
--- /dev/null
+++ b/backend/src/middlewares/hostGate.js
@@ -0,0 +1,97 @@
+/**
+ * Host Gate Middleware
+ * Blockiert geschützte API-Routen für public Host
+ * Erlaubt nur Upload + Management für public Host
+ * 
+ * Erkennt Host via X-Forwarded-Host (nginx-proxy-manager) oder Host Header
+ */
+
+const PUBLIC_HOST = process.env.PUBLIC_HOST || 'deinprojekt.hobbyhimmel.de';
+const INTERNAL_HOST = process.env.INTERNAL_HOST || 'deinprojekt.lan.hobbyhimmel.de';
+const ENABLE_HOST_RESTRICTION = process.env.ENABLE_HOST_RESTRICTION !== 'false';
+
+// Routes die NUR für internal Host erlaubt sind
+const INTERNAL_ONLY_ROUTES = [
+    '/api/admin',
+    '/api/groups',
+    '/api/slideshow',
+    '/api/migration',
+    '/api/moderation',
+    '/api/reorder',
+    '/api/batch-upload',
+    '/api/social-media',
+    '/api/auth/login',    // Admin Login nur internal
+    '/api/auth/logout',
+    '/api/auth/session'
+];
+
+// Routes die für public Host erlaubt sind
+const PUBLIC_ALLOWED_ROUTES = [
+    '/api/upload',
+    '/api/manage',
+    '/api/previews',
+    '/api/consent'
+];
+
+/**
+ * Middleware: Host-basierte Zugriffskontrolle
+ * @param {Object} req - Express Request
+ * @param {Object} res - Express Response
+ * @param {Function} next - Next Middleware
+ */
+const hostGate = (req, res, next) => {
+    // Feature disabled only when explicitly set to false OR in test environment without explicit enable
+    const isTestEnv = process.env.NODE_ENV === 'test';
+    const explicitlyEnabled = process.env.ENABLE_HOST_RESTRICTION === 'true';
+    const explicitlyDisabled = process.env.ENABLE_HOST_RESTRICTION === 'false';
+    
+    // Skip restriction if:
+    // - Explicitly disabled, OR
+    // - Test environment AND not explicitly enabled
+    if (explicitlyDisabled || (isTestEnv && !explicitlyEnabled)) {
+        req.isPublicHost = false;
+        req.isInternalHost = true;
+        req.requestSource = 'internal';
+        return next();
+    }
+
+    // Get host from X-Forwarded-Host (nginx-proxy-manager) or Host header
+    const forwardedHost = req.get('x-forwarded-host');
+    const hostHeader = req.get('host');
+    const host = forwardedHost || hostHeader || '';
+    const hostname = host.split(':')[0]; // Remove port if present
+
+    // Determine if request is from public or internal host
+    req.isPublicHost = hostname === PUBLIC_HOST;
+    req.isInternalHost = hostname === INTERNAL_HOST || hostname === 'localhost' || hostname === '127.0.0.1';
+
+    // Log host detection for debugging
+    if (process.env.NODE_ENV !== 'production') {
+        console.log(`🔍 Host Detection: ${hostname} → ${req.isPublicHost ? 'PUBLIC' : 'INTERNAL'}`);
+    }
+
+    // If public host, check if route is allowed
+    if (req.isPublicHost) {
+        const path = req.path;
+        
+        // Check if route is internal-only
+        const isInternalOnly = INTERNAL_ONLY_ROUTES.some(route => 
+            path.startsWith(route)
+        );
+
+        if (isInternalOnly) {
+            console.warn(`🚫 Public host blocked access to: ${path} (Host: ${hostname})`);
+            return res.status(403).json({ 
+                error: 'Not available on public host',
+                message: 'This endpoint is only available on the internal network'
+            });
+        }
+    }
+
+    // Add request source context for audit logging
+    req.requestSource = req.isPublicHost ? 'public' : 'internal';
+    
+    next();
+};
+
+module.exports = hostGate;
diff --git a/backend/src/middlewares/index.js b/backend/src/middlewares/index.js
index a82e7c1..da762d8 100644
--- a/backend/src/middlewares/index.js
+++ b/backend/src/middlewares/index.js
@@ -2,6 +2,7 @@ const express = require("express");
 const fileUpload = require("express-fileupload");
 const cors = require("./cors");
 const session = require("./session");
+const hostGate = require("./hostGate");
 
 const applyMiddlewares = (app) => {
     app.use(fileUpload());
@@ -9,6 +10,8 @@ const applyMiddlewares = (app) => {
     app.use(session);
     // JSON Parser für PATCH/POST Requests
     app.use(express.json());
+    // Host Gate: Blockiert geschützte Routen für public Host
+    app.use(hostGate);
 };
 
 module.exports = { applyMiddlewares };
\ No newline at end of file
diff --git a/backend/src/middlewares/rateLimiter.js b/backend/src/middlewares/rateLimiter.js
index c965541..0404d76 100644
--- a/backend/src/middlewares/rateLimiter.js
+++ b/backend/src/middlewares/rateLimiter.js
@@ -19,6 +19,15 @@ const RATE_LIMIT = {
     BLOCK_DURATION_MS: 24 * 60 * 60 * 1000 // 24 Stunden
 };
 
+// Public Upload Rate Limiting (strengere Limits für öffentliche Uploads)
+const PUBLIC_UPLOAD_LIMIT = {
+    MAX_UPLOADS_PER_HOUR: parseInt(process.env.PUBLIC_UPLOAD_RATE_LIMIT || '20', 10),
+    WINDOW_MS: parseInt(process.env.PUBLIC_UPLOAD_RATE_WINDOW || '3600000', 10) // 1 Stunde
+};
+
+// In-Memory Storage für Public Upload Rate-Limiting
+const publicUploadCounts = new Map(); // IP -> { count, resetTime }
+
 /**
  * Extrahiere Client-IP aus Request
  */
@@ -169,13 +178,63 @@ function getStatistics() {
             reason: info.reason,
             blockedUntil: new Date(info.blockedUntil).toISOString(),
             failedAttempts: info.failedAttempts
-        }))
+        })),
+        publicUploadActiveIPs: publicUploadCounts.size
     };
 }
 
+/**
+ * Public Upload Rate Limiter Middleware
+ * Strengere Limits für öffentliche Uploads (20 pro Stunde pro IP)
+ * Wird nur auf public Host angewendet
+ */
+function publicUploadLimiter(req, res, next) {
+    // Skip wenn nicht public Host oder Feature disabled
+    if (!req.isPublicHost || process.env.NODE_ENV === 'test') {
+        return next();
+    }
+
+    const clientIP = getClientIP(req);
+    const now = Date.now();
+
+    // Hole oder erstelle Upload-Counter für IP
+    let uploadInfo = publicUploadCounts.get(clientIP);
+
+    if (!uploadInfo || now > uploadInfo.resetTime) {
+        // Neues Zeitfenster
+        uploadInfo = {
+            count: 0,
+            resetTime: now + PUBLIC_UPLOAD_LIMIT.WINDOW_MS
+        };
+        publicUploadCounts.set(clientIP, uploadInfo);
+    }
+
+    // Prüfe Upload-Limit
+    if (uploadInfo.count >= PUBLIC_UPLOAD_LIMIT.MAX_UPLOADS_PER_HOUR) {
+        const resetIn = Math.ceil((uploadInfo.resetTime - now) / 1000 / 60);
+        console.warn(`🚫 Public upload limit exceeded for IP ${clientIP} (${uploadInfo.count}/${PUBLIC_UPLOAD_LIMIT.MAX_UPLOADS_PER_HOUR})`);
+        
+        return res.status(429).json({
+            success: false,
+            error: 'Upload limit exceeded',
+            message: `You have reached the maximum of ${PUBLIC_UPLOAD_LIMIT.MAX_UPLOADS_PER_HOUR} uploads per hour. Please try again in ${resetIn} minutes.`,
+            limit: PUBLIC_UPLOAD_LIMIT.MAX_UPLOADS_PER_HOUR,
+            resetIn: resetIn
+        });
+    }
+
+    // Erhöhe Upload-Counter
+    uploadInfo.count++;
+    publicUploadCounts.set(clientIP, uploadInfo);
+
+    // Request durchlassen
+    next();
+}
+
 module.exports = {
     rateLimitMiddleware,
     recordFailedTokenValidation,
     cleanupExpiredEntries,
-    getStatistics
+    getStatistics,
+    publicUploadLimiter
 };
diff --git a/backend/src/repositories/ManagementAuditLogRepository.js b/backend/src/repositories/ManagementAuditLogRepository.js
index c6589da..472b78a 100644
--- a/backend/src/repositories/ManagementAuditLogRepository.js
+++ b/backend/src/repositories/ManagementAuditLogRepository.js
@@ -20,6 +20,8 @@ class ManagementAuditLogRepository {
      * @param {string} logData.ipAddress - IP-Adresse
      * @param {string} logData.userAgent - User-Agent
      * @param {Object} logData.requestData - Request-Daten (wird als JSON gespeichert)
+     * @param {string} logData.sourceHost - Source Host (public/internal)
+     * @param {string} logData.sourceType - Source Type (public/internal)
      * @returns {Promise<number>} ID des Log-Eintrags
      */
     async logAction(logData) {
@@ -34,22 +36,50 @@ class ManagementAuditLogRepository {
             managementToken: undefined  // Token nie loggen
         } : null;
 
-        const query = `
-            INSERT INTO management_audit_log 
-                (group_id, management_token, action, success, error_message, ip_address, user_agent, request_data)
-            VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-        `;
+        // Prüfe ob Spalten source_host und source_type existieren
+        const tableInfo = await dbManager.all(`PRAGMA table_info(management_audit_log)`);
+        const hasSourceColumns = tableInfo.some(col => col.name === 'source_host');
+
+        let query, params;
         
-        const result = await dbManager.run(query, [
-            logData.groupId || null,
-            maskedToken,
-            logData.action,
-            logData.success ? 1 : 0,
-            logData.errorMessage || null,
-            logData.ipAddress || null,
-            logData.userAgent || null,
-            sanitizedData ? JSON.stringify(sanitizedData) : null
-        ]);
+        if (hasSourceColumns) {
+            query = `
+                INSERT INTO management_audit_log 
+                    (group_id, management_token, action, success, error_message, ip_address, user_agent, request_data, source_host, source_type)
+                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+            `;
+            params = [
+                logData.groupId || null,
+                maskedToken,
+                logData.action,
+                logData.success ? 1 : 0,
+                logData.errorMessage || null,
+                logData.ipAddress || null,
+                logData.userAgent || null,
+                sanitizedData ? JSON.stringify(sanitizedData) : null,
+                logData.sourceHost || null,
+                logData.sourceType || null
+            ];
+        } else {
+            // Fallback für alte DB-Schemas ohne source_host/source_type
+            query = `
+                INSERT INTO management_audit_log 
+                    (group_id, management_token, action, success, error_message, ip_address, user_agent, request_data)
+                VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+            `;
+            params = [
+                logData.groupId || null,
+                maskedToken,
+                logData.action,
+                logData.success ? 1 : 0,
+                logData.errorMessage || null,
+                logData.ipAddress || null,
+                logData.userAgent || null,
+                sanitizedData ? JSON.stringify(sanitizedData) : null
+            ];
+        }
+        
+        const result = await dbManager.run(query, params);
         
         return result.lastID;
     }
diff --git a/backend/src/routes/upload.js b/backend/src/routes/upload.js
index 8e04512..f04ec1f 100644
--- a/backend/src/routes/upload.js
+++ b/backend/src/routes/upload.js
@@ -6,6 +6,7 @@ const path = require('path');
 const ImagePreviewService = require('../services/ImagePreviewService');
 const groupRepository = require('../repositories/GroupRepository');
 const fs = require('fs');
+const { publicUploadLimiter } = require('../middlewares/rateLimiter');
 
 const router = Router();
 
@@ -15,7 +16,7 @@ router.use('/upload', express.static( path.join(__dirname, '..', UPLOAD_FS_DIR)
 // Serve preview images via URL /previews but store files under data/previews
 router.use('/previews', express.static( path.join(__dirname, '..', PREVIEW_FS_DIR) ));
 
-router.post('/upload', async (req, res) => {
+router.post('/upload', publicUploadLimiter, async (req, res) => {
     /* 
         #swagger.tags = ['Upload']
         #swagger.summary = 'Upload a single image and create a new group'
diff --git a/backend/src/server.js b/backend/src/server.js
index 19face3..ac4224d 100644
--- a/backend/src/server.js
+++ b/backend/src/server.js
@@ -20,6 +20,10 @@ class Server {
     constructor(port) {
         this._port = port;
         this._app = express();
+        const trustProxyHops = Number.parseInt(process.env.TRUST_PROXY_HOPS ?? '1', 10);
+        if (!Number.isNaN(trustProxyHops) && trustProxyHops > 0) {
+            this._app.set('trust proxy', trustProxyHops);
+        }
     }
 
     async generateOpenApiSpecIfNeeded() {
@@ -95,8 +99,11 @@ class Server {
         this._app.use('/upload', express.static( __dirname + '/upload'));
         this._app.use('/api/previews', express.static( __dirname + '/data/previews'));
         
-        if (process.env.NODE_ENV !== 'production' && swaggerUi && swaggerDocument) {
-            this._app.use('/api/docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
+        if (process.env.NODE_ENV !== 'production' && swaggerUi) {
+            const swaggerDocument = this.loadSwaggerDocument();
+            if (swaggerDocument) {
+                this._app.use('/api/docs', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
+            }
         }
         return this._app;
     }
diff --git a/backend/tests/unit/middlewares/hostGate.test.js b/backend/tests/unit/middlewares/hostGate.test.js
new file mode 100644
index 0000000..040b027
--- /dev/null
+++ b/backend/tests/unit/middlewares/hostGate.test.js
@@ -0,0 +1,276 @@
+/**
+ * Unit Tests für hostGate Middleware
+ * Testet Host-basierte Zugriffskontrolle
+ */
+
+// Setup ENV VOR dem Require
+process.env.ENABLE_HOST_RESTRICTION = 'true';
+process.env.PUBLIC_HOST = 'public.example.com';
+process.env.INTERNAL_HOST = 'internal.example.com';
+process.env.NODE_ENV = 'development';
+
+const hostGate = require('../../../src/middlewares/hostGate');
+
+describe('Host Gate Middleware', () => {
+    let req, res, next;
+    let originalEnv;
+
+    beforeAll(() => {
+        // Sichere Original-Env
+        originalEnv = { ...process.env };
+    });
+
+    beforeEach(() => {
+        // Mock Request
+        req = {
+            get: jest.fn(),
+            path: '/api/admin/test'
+        };
+
+        // Mock Response
+        res = {
+            status: jest.fn().mockReturnThis(),
+            json: jest.fn()
+        };
+
+        // Mock Next
+        next = jest.fn();
+
+        // Setup Environment
+        process.env.ENABLE_HOST_RESTRICTION = 'true';
+        process.env.PUBLIC_HOST = 'public.example.com';
+        process.env.INTERNAL_HOST = 'internal.example.com';
+        process.env.NODE_ENV = 'development'; // NOT 'test' to enable restrictions
+    });
+
+    afterEach(() => {
+        jest.clearAllMocks();
+    });
+
+    afterAll(() => {
+        // Restore Original-Env
+        process.env = originalEnv;
+    });
+
+    describe('Host Detection', () => {
+        test('should detect public host from X-Forwarded-Host header', () => {
+            req.get.mockImplementation((header) => {
+                if (header === 'x-forwarded-host') return 'public.example.com';
+                return null;
+            });
+
+            hostGate(req, res, next);
+
+            expect(req.isPublicHost).toBe(true);
+            expect(req.isInternalHost).toBe(false);
+            expect(req.requestSource).toBe('public');
+        });
+
+        test('should detect internal host from X-Forwarded-Host header', () => {
+            req.get.mockImplementation((header) => {
+                if (header === 'x-forwarded-host') return 'internal.example.com';
+                return null;
+            });
+
+            hostGate(req, res, next);
+
+            expect(req.isPublicHost).toBe(false);
+            expect(req.isInternalHost).toBe(true);
+            expect(req.requestSource).toBe('internal');
+        });
+
+        test('should fallback to Host header if X-Forwarded-Host not present', () => {
+            req.get.mockImplementation((header) => {
+                if (header === 'x-forwarded-host') return null;
+                if (header === 'host') return 'public.example.com';
+                return null;
+            });
+
+            hostGate(req, res, next);
+
+            expect(req.isPublicHost).toBe(true);
+        });
+
+        test('should handle localhost as internal host', () => {
+            req.get.mockImplementation((header) => {
+                if (header === 'x-forwarded-host') return null;
+                if (header === 'host') return 'localhost:3000';
+                return null;
+            });
+
+            hostGate(req, res, next);
+
+            expect(req.isInternalHost).toBe(true);
+            expect(req.isPublicHost).toBe(false);
+        });
+
+        test('should strip port from hostname', () => {
+            req.get.mockReturnValue('public.example.com:8080');
+
+            hostGate(req, res, next);
+
+            expect(req.isPublicHost).toBe(true);
+        });
+    });
+
+    describe('Route Protection', () => {
+        test('should block admin routes on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/admin/deletion-log';
+
+            hostGate(req, res, next);
+
+            expect(res.status).toHaveBeenCalledWith(403);
+            expect(res.json).toHaveBeenCalledWith({
+                error: 'Not available on public host',
+                message: 'This endpoint is only available on the internal network'
+            });
+            expect(next).not.toHaveBeenCalled();
+        });
+
+        test('should block groups routes on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/groups';
+
+            hostGate(req, res, next);
+
+            expect(res.status).toHaveBeenCalledWith(403);
+        });
+
+        test('should block slideshow routes on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/slideshow';
+
+            hostGate(req, res, next);
+
+            expect(res.status).toHaveBeenCalledWith(403);
+        });
+
+        test('should block migration routes on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/migration/start';
+
+            hostGate(req, res, next);
+
+            expect(res.status).toHaveBeenCalledWith(403);
+        });
+
+        test('should block auth login on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/auth/login';
+
+            hostGate(req, res, next);
+
+            expect(res.status).toHaveBeenCalledWith(403);
+        });
+    });
+
+    describe('Allowed Routes', () => {
+        test('should allow upload route on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/upload';
+
+            hostGate(req, res, next);
+
+            expect(next).toHaveBeenCalled();
+            expect(res.status).not.toHaveBeenCalled();
+        });
+
+        test('should allow manage routes on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/manage/abc-123';
+
+            hostGate(req, res, next);
+
+            expect(next).toHaveBeenCalled();
+        });
+
+        test('should allow preview routes on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/previews/image.jpg';
+
+            hostGate(req, res, next);
+
+            expect(next).toHaveBeenCalled();
+        });
+
+        test('should allow consent routes on public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/consent';
+
+            hostGate(req, res, next);
+
+            expect(next).toHaveBeenCalled();
+        });
+
+        test('should allow all routes on internal host', () => {
+            req.get.mockReturnValue('internal.example.com');
+            req.path = '/api/admin/deletion-log';
+
+            hostGate(req, res, next);
+
+            expect(next).toHaveBeenCalled();
+            expect(res.status).not.toHaveBeenCalled();
+        });
+    });
+
+    describe('Feature Flags', () => {
+        test('should bypass restriction when NODE_ENV is test and not explicitly enabled', () => {
+            // Reload module with test environment
+            delete require.cache[require.resolve('../../../src/middlewares/hostGate')];
+            process.env.NODE_ENV = 'test';
+            process.env.ENABLE_HOST_RESTRICTION = 'false'; // Not explicitly enabled
+            const hostGateTest = require('../../../src/middlewares/hostGate');
+            
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/admin/test';
+
+            hostGateTest(req, res, next);
+
+            expect(next).toHaveBeenCalled();
+            expect(res.status).not.toHaveBeenCalled();
+            expect(req.isInternalHost).toBe(true);
+            
+            // Restore
+            delete require.cache[require.resolve('../../../src/middlewares/hostGate')];
+            process.env.NODE_ENV = 'development';
+            process.env.ENABLE_HOST_RESTRICTION = 'true';
+        });
+
+        test('should work in test environment when explicitly enabled', () => {
+            // Already set up correctly
+            process.env.NODE_ENV = 'development';
+            expect(req.isInternalHost).toBeUndefined(); // Not processed yet, just checking setup
+        });
+    });
+
+    describe('Request Source Tracking', () => {
+        test('should set requestSource to "public" for public host', () => {
+            req.get.mockReturnValue('public.example.com');
+            req.path = '/api/upload';
+
+            hostGate(req, res, next);
+
+            expect(req.requestSource).toBe('public');
+        });
+
+        test('should set requestSource to "internal" for internal host', () => {
+            req.get.mockReturnValue('internal.example.com');
+            req.path = '/api/admin/test';
+
+            hostGate(req, res, next);
+
+            expect(req.requestSource).toBe('internal');
+        });
+
+        test('should set requestSource to "internal" when restrictions disabled', () => {
+            process.env.ENABLE_HOST_RESTRICTION = 'false';
+            req.get.mockReturnValue('anything.example.com');
+            req.path = '/api/test';
+
+            hostGate(req, res, next);
+
+            expect(req.requestSource).toBe('internal');
+        });
+    });
+});
diff --git a/docker/dev/docker-compose.yml b/docker/dev/docker-compose.yml
index 264d9a1..bc6d4c0 100644
--- a/docker/dev/docker-compose.yml
+++ b/docker/dev/docker-compose.yml
@@ -20,6 +20,8 @@ services:
       - CHOKIDAR_USEPOLLING=true
       - API_URL=http://localhost:5001
       - CLIENT_URL=http://localhost:3000
+      - PUBLIC_HOST=localhost
+      - INTERNAL_HOST=localhost
     depends_on:
       - backend-dev
     networks:
@@ -40,6 +42,9 @@ services:
       - ./backend/config/.env:/usr/src/app/.env:ro
     environment:
       - NODE_ENV=development
+      - PUBLIC_HOST=localhost
+      - INTERNAL_HOST=localhost
+      - ENABLE_HOST_RESTRICTION=false
     networks:
       - dev-internal
     command: [ "npm", "run", "server" ]
diff --git a/docker/prod/docker-compose.yml b/docker/prod/docker-compose.yml
index 7aba6d9..69202f0 100644
--- a/docker/prod/docker-compose.yml
+++ b/docker/prod/docker-compose.yml
@@ -16,6 +16,8 @@ services:
     environment:
       - API_URL=http://backend:5000
       - CLIENT_URL=http://localhost
+      - PUBLIC_HOST=deinprojekt.hobbyhimmel.de
+      - INTERNAL_HOST=deinprojekt.lan.hobbyhimmel.de
       
     networks:
       - npm-nw
@@ -40,6 +42,14 @@ services:
       - ADMIN_SESSION_DIR=/usr/src/app/src/data/sessions
       # ⚠️  Für HTTP-only Labs per Override auf "false" setzen (nicht im Repo committen)
       - ADMIN_SESSION_COOKIE_SECURE=true
+      # Host Configuration (Public/Internal Separation)
+      - PUBLIC_HOST=deinprojekt.hobbyhimmel.de
+      - INTERNAL_HOST=deinprojekt.lan.hobbyhimmel.de
+      - ENABLE_HOST_RESTRICTION=true
+      - PUBLIC_UPLOAD_RATE_LIMIT=20
+      - PUBLIC_UPLOAD_RATE_WINDOW=3600000
+      # Trust nginx-proxy-manager (1 hop)
+      - TRUST_PROXY_HOPS=1
 
 
 
diff --git a/frontend/.env.example b/frontend/.env.example
index 825b3ea..d573867 100644
--- a/frontend/.env.example
+++ b/frontend/.env.example
@@ -4,3 +4,7 @@
 # via `REACT_APP_*` variables only if they are safe to expose to browsers.
 # Example:
 # REACT_APP_PUBLIC_API_BASE=https://example.com
+
+# Host Configuration (for public/internal separation)
+PUBLIC_HOST=deinprojekt.hobbyhimmel.de
+INTERNAL_HOST=deinprojekt.lan.hobbyhimmel.de
diff --git a/frontend/src/App.js b/frontend/src/App.js
index 0512ca7..6d5ce2b 100644
--- a/frontend/src/App.js
+++ b/frontend/src/App.js
@@ -1,31 +1,115 @@
+import React, { lazy, Suspense } from 'react';
 import './App.css';
-import { BrowserRouter as Router, Routes, Route } from 'react-router-dom';
+import { BrowserRouter as Router, Routes, Route, Navigate } from 'react-router-dom';
 import { AdminSessionProvider } from './contexts/AdminSessionContext.jsx';
+import { getHostConfig } from './Utils/hostDetection.js';
 
-// Pages
+// Always loaded (public + internal)
 import MultiUploadPage from './Components/Pages/MultiUploadPage';
-import SlideshowPage from './Components/Pages/SlideshowPage';
-import GroupsOverviewPage from './Components/Pages/GroupsOverviewPage';
-import ModerationGroupsPage from './Components/Pages/ModerationGroupsPage';
-import ModerationGroupImagesPage from './Components/Pages/ModerationGroupImagesPage';
-import PublicGroupImagesPage from './Components/Pages/PublicGroupImagesPage';
 import ManagementPortalPage from './Components/Pages/ManagementPortalPage';
-import FZF from './Components/Pages/404Page.js'
+import NotFoundPage from './Components/Pages/404Page.js';
+
+// Lazy loaded (internal only) - Code Splitting für Performance
+const SlideshowPage = lazy(() => import('./Components/Pages/SlideshowPage'));
+const GroupsOverviewPage = lazy(() => import('./Components/Pages/GroupsOverviewPage'));
+const PublicGroupImagesPage = lazy(() => import('./Components/Pages/PublicGroupImagesPage'));
+const ModerationGroupsPage = lazy(() => import('./Components/Pages/ModerationGroupsPage'));
+const ModerationGroupImagesPage = lazy(() => import('./Components/Pages/ModerationGroupImagesPage'));
+
+/**
+ * Protected Route Component
+ * Redirects to upload page if accessed from public host
+ */
+const ProtectedRoute = ({ children }) => {
+  const hostConfig = getHostConfig();
+  
+  if (hostConfig.isPublic) {
+    // Redirect to upload page - feature not available on public
+    return <Navigate to="/" replace />;
+  }
+  
+  return children;
+};
+
+/**
+ * Loading Fallback für Code Splitting
+ */
+const LoadingFallback = () => (
+  <div style={{ 
+    display: 'flex', 
+    justifyContent: 'center', 
+    alignItems: 'center', 
+    height: '100vh',
+    flexDirection: 'column',
+    gap: '1rem'
+  }}>
+    <div className="spinner"></div>
+    <p>Lädt...</p>
+  </div>
+);
 
 function App() {
+  const hostConfig = getHostConfig();
+
   return (
     <AdminSessionProvider>
       <Router>
-        <Routes>
-          <Route path="/" exact element={<MultiUploadPage />} />
-          <Route path="/slideshow" element={<SlideshowPage />} />
-          <Route path="/groups/:groupId" element={<PublicGroupImagesPage />} />
-          <Route path="/groups" element={<GroupsOverviewPage />} />
-          <Route path="/moderation" exact element={<ModerationGroupsPage />} />
-          <Route path="/moderation/groups/:groupId" element={<ModerationGroupImagesPage />} />
-          <Route path="/manage/:token" element={<ManagementPortalPage />} />
-          <Route path="*" element={<FZF />} />
-        </Routes>
+        <Suspense fallback={<LoadingFallback />}>
+          <Routes>
+            {/* Public Routes - immer verfügbar */}
+            <Route path="/" element={<MultiUploadPage />} />
+            <Route path="/manage/:token" element={<ManagementPortalPage />} />
+
+            {/* Internal Only Routes - nur auf internal host geladen */}
+            {hostConfig.isInternal && (
+              <>
+                <Route 
+                  path="/slideshow" 
+                  element={
+                    <ProtectedRoute>
+                      <SlideshowPage />
+                    </ProtectedRoute>
+                  } 
+                />
+                <Route 
+                  path="/groups/:groupId" 
+                  element={
+                    <ProtectedRoute>
+                      <PublicGroupImagesPage />
+                    </ProtectedRoute>
+                  } 
+                />
+                <Route 
+                  path="/groups" 
+                  element={
+                    <ProtectedRoute>
+                      <GroupsOverviewPage />
+                    </ProtectedRoute>
+                  } 
+                />
+                <Route 
+                  path="/moderation" 
+                  element={
+                    <ProtectedRoute>
+                      <ModerationGroupsPage />
+                    </ProtectedRoute>
+                  } 
+                />
+                <Route 
+                  path="/moderation/groups/:groupId" 
+                  element={
+                    <ProtectedRoute>
+                      <ModerationGroupImagesPage />
+                    </ProtectedRoute>
+                  } 
+                />
+              </>
+            )}
+
+            {/* 404 / Not Found */}
+            <Route path="*" element={<NotFoundPage />} />
+          </Routes>
+        </Suspense>
       </Router>
     </AdminSessionProvider>
   );
diff --git a/frontend/src/Components/Pages/404Page.js b/frontend/src/Components/Pages/404Page.js
index 79d57c3..ef8038b 100644
--- a/frontend/src/Components/Pages/404Page.js
+++ b/frontend/src/Components/Pages/404Page.js
@@ -1,14 +1,51 @@
 import React from 'react'
 import Navbar from '../ComponentUtils/Headers/Navbar'
+import { getHostConfig } from '../../Utils/hostDetection'
 
 import './Css/404Page.css'
 
 function FZF() {
+    const hostConfig = getHostConfig();
+
     return (
         <div className="allContainerNoBackground">
             <Navbar />
                
-            <div class="container404">
+            <div className="container404">
+                {hostConfig.isPublic ? (
+                    <div style={{ textAlign: 'center', marginTop: '2rem' }}>
+                        <h1>404 - Diese Funktion ist nicht verfügbar</h1>
+                        <p>Diese Funktion ist nur über das interne Netzwerk erreichbar.</p>
+                        <a href="/" style={{ color: '#007bff', textDecoration: 'underline' }}>
+                            Zurück zum Upload
+                        </a>
+                    </div>
+                ) : (
+                    <>
+                        <xml version="1.0" encoding="UTF-8" />
+                        <svg className="page404" viewBox="0 0 5059 4833" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlnsXlink="http://www.w3.org/1999/xlink">
+                            <g id="Page-1" stroke="none" strokeWidth="1" fill="none" fillRule="evenodd">
+                                <g id="404" transform="translate(20.000000, 20.000000)">
+                                    <path d="M2534,4063 C2534,4465.61629 2209.36983,4792 1808.91667,4792 L1291,4792 M3984,4063 C3984,4465.61629 4308.369,4792 4708.5,4792 L5019,4792 M293,625 L293,677.0625 C293,1108.34825 640.739556,1458 1069.66667,1458 L1225,1458 M1083,937 C1083,1454.43222 1500.39286,1874 2015.14286,1874 L2533,1874 M5019,1042 C5019,1502.2325 4648.056,1875 4191,1875 L3984,1875 M2534,4063 L2534,1042 M3984,4063 L3984,1042 M2845,677 C2845,907.184 3030.472,1094 3259,1094 C3487.735,1094 3673,907.184 3673,677 M2845,625 C2845,855.184 2659.556,1042 2430.6,1042 L2327,1042 M3673,625 C3673,855.184 3858.6512,1042 4087.4,1042 L4191,1042" id="tree" stroke="#000000" strokeWidth="40" strokeLinecap="round" strokeLinejoin="round"></path>
+                                    <path d="M1083,0 L1083,312" id="leaf" stroke="#000000" strokeWidth="40" strokeLinecap="round" strokeLinejoin="round"></path>
+                                    <path d="M1912,521 L1912,833" id="leaf" stroke="#000000" strokeWidth="40" strokeLinecap="round" strokeLinejoin="round"></path>
+                                    <path d="M3155,0 L3155,312" id="leaf" stroke="#000000" strokeWidth="40" strokeLinecap="round" strokeLinejoin="round"></path>
+                                    <path d="M4605,104 L4605,416" id="leaf" stroke="#000000" strokeWidth="40" strokeLinecap="round" strokeLinejoin="round"></path>
+                                    <path d="M2860,2144 L3676,2144 L3676,3116 L2860,3116 L2860,2144 Z M2937,2221 L2937,2726 L3598,2726 L3598,2221 L2937,2221 Z" id="border" stroke="#000000" strokeWidth="30" strokeLinejoin="round"></path>
+                                    <path d="M3066,2513.52727 L3066,2395 L3101.68605,2395 C3108.17445,2395 3114.12207,2395.60227 3119.52907,2396.80682 C3124.93607,2398.01137 3129.562,2399.96874 3133.40698,2402.67898 C3137.25196,2405.38922 3140.22576,2408.9727 3142.32849,2413.42955 C3144.43121,2417.88639 3145.48256,2423.36701 3145.48256,2429.87159 C3145.48256,2436.13526 3144.43121,2441.55566 3142.32849,2446.13295 C3140.22576,2450.71025 3137.22192,2454.50453 3133.31686,2457.51591 C3129.4118,2460.52729 3124.78588,2462.78579 3119.43895,2464.29148 C3114.09203,2465.79717 3108.17445,2466.55 3101.68605,2466.55 L3080.9593,2466.55 L3080.9593,2513.52727 L3066,2513.52727 Z M3080.9593,2454.26364 L3099.88372,2454.26364 C3110.33726,2454.26364 3118.02711,2452.30627 3122.95349,2448.39148 C3127.87987,2444.47668 3130.34302,2438.30345 3130.34302,2429.87159 C3130.34302,2421.31928 3127.81979,2415.38695 3122.77326,2412.07443 C3117.72672,2408.76192 3110.09695,2407.10568 3099.88372,2407.10568 L3080.9593,2407.10568 L3080.9593,2454.26364 Z M3200.09302,2515.69545 C3196.00773,2515.69545 3192.16281,2515.1233 3188.55814,2513.97898 C3184.95347,2512.83465 3181.79943,2511.20853 3179.09593,2509.10057 C3176.39243,2506.9926 3174.2597,2504.40286 3172.69767,2501.33125 C3171.13565,2498.25964 3170.35465,2494.73638 3170.35465,2490.76136 C3170.35465,2485.8227 3171.52615,2481.5165 3173.86919,2477.84261 C3176.21222,2474.16873 3179.93699,2471.00683 3185.0436,2468.35682 C3190.15022,2465.7068 3196.72864,2463.53864 3204.77907,2461.85227 C3212.8295,2460.1659 3222.50188,2458.84091 3233.79651,2457.87727 C3233.67636,2454.86589 3233.19574,2452.03524 3232.35465,2449.38523 C3231.51356,2446.73521 3230.19187,2444.41649 3228.38953,2442.42898 C3226.5872,2440.44147 3224.21416,2438.84546 3221.27035,2437.64091 C3218.32654,2436.43636 3214.75196,2435.83409 3210.54651,2435.83409 C3204.77904,2435.83409 3199.25196,2436.94828 3193.96512,2439.1767 C3188.67827,2441.40512 3183.99227,2443.78408 3179.90698,2446.31364 L3174.13953,2436.19545 C3176.30234,2434.74999 3178.85561,2433.27444 3181.79942,2431.76875 C3184.74323,2430.26306 3187.86723,2428.90796 3191.17151,2427.70341 C3194.47579,2426.49886 3197.99029,2425.50512 3201.71512,2424.72216 C3205.43994,2423.9392 3209.22479,2423.54773 3213.06977,2423.54773 C3225.08533,2423.54773 3234.00675,2426.83008 3239.8343,2433.39489 C3245.66185,2439.95969 3248.57558,2448.72267 3248.57558,2459.68409 L3248.57558,2513.52727 L3236.5,2513.52727 L3235.23837,2501.60227 L3234.69767,2501.60227 C3229.77129,2505.45684 3224.33433,2508.7693 3218.38663,2511.53977 C3212.43892,2514.31024 3206.34112,2515.69545 3200.09302,2515.69545 Z M3204.05814,2503.77045 C3209.10468,2503.77045 3214.06102,2502.65626 3218.92733,2500.42784 C3223.79363,2498.19942 3228.74997,2494.97729 3233.79651,2490.76136 L3233.79651,2467.63409 C3224.42437,2468.35682 3216.58433,2469.38068 3210.27616,2470.70568 C3203.96799,2472.03069 3198.92153,2473.6267 3195.13663,2475.49375 C3191.35173,2477.3608 3188.6783,2479.46874 3187.11628,2481.81761 C3185.55426,2484.16649 3184.77326,2486.78635 3184.77326,2489.67727 C3184.77326,2492.20683 3185.31395,2494.34488 3186.39535,2496.09148 C3187.47675,2497.83808 3188.88856,2499.28352 3190.63081,2500.42784 C3192.37307,2501.57216 3194.41569,2502.41534 3196.75872,2502.95739 C3199.10176,2503.49943 3201.53487,2503.77045 3204.05814,2503.77045 Z M3317.24419,2554 C3304.38753,2554 3294.4448,2551.89207 3287.4157,2547.67614 C3280.38659,2543.46021 3276.87209,2537.43754 3276.87209,2529.60795 C3276.87209,2526.11476 3278.10367,2522.68184 3280.56686,2519.30909 C3283.03005,2515.93635 3286.60463,2512.86479 3291.2907,2510.09432 L3291.2907,2509.37159 C3288.88758,2508.04658 3286.78489,2506.23978 3284.98256,2503.95114 C3283.18022,2501.66249 3282.27907,2498.65116 3282.27907,2494.91705 C3282.27907,2492.14658 3283.18022,2489.28581 3284.98256,2486.33466 C3286.78489,2483.38351 3289.3682,2480.76365 3292.73256,2478.475 L3292.73256,2477.75227 C3289.72867,2475.46362 3287.1754,2472.42218 3285.07267,2468.62784 C3282.96995,2464.8335 3281.9186,2460.28639 3281.9186,2454.98636 C3281.9186,2450.16816 3282.8498,2445.83184 3284.71221,2441.97727 C3286.57462,2438.12271 3289.06781,2434.84035 3292.19186,2432.13011 C3295.31591,2429.41987 3298.95056,2427.31194 3303.09593,2425.80625 C3307.2413,2424.30056 3311.65695,2423.54773 3316.34302,2423.54773 C3321.14925,2423.54773 3325.47479,2424.27045 3329.31977,2425.71591 L3365.54651,2425.71591 L3365.54651,2437.82159 L3342.83721,2437.82159 C3344.87986,2439.86933 3346.62209,2442.45908 3348.06395,2445.59091 C3349.50582,2448.72274 3350.22674,2452.03521 3350.22674,2455.52841 C3350.22674,2460.22616 3349.35563,2464.44203 3347.61337,2468.17614 C3345.87112,2471.91025 3343.46804,2475.07215 3340.40407,2477.66193 C3337.3401,2480.25172 3333.73549,2482.2392 3329.59012,2483.62443 C3325.44475,2485.00967 3321.02909,2485.70227 3316.34302,2485.70227 C3314.06007,2485.70227 3311.62695,2485.43125 3309.0436,2484.8892 C3306.46026,2484.34716 3303.96707,2483.5341 3301.56395,2482.45 C3296.99804,2485.34092 3294.71512,2488.71362 3294.71512,2492.56818 C3294.71512,2496.06138 3296.30715,2498.62101 3299.49128,2500.24716 C3302.6754,2501.8733 3307.15113,2502.68636 3312.9186,2502.68636 L3332.56395,2502.68636 C3343.85858,2502.68636 3352.23931,2504.25226 3357.7064,2507.38409 C3363.17348,2510.51592 3365.90698,2515.81587 3365.90698,2523.28409 C3365.90698,2527.37957 3364.76552,2531.2943 3362.48256,2535.02841 C3360.1996,2538.76252 3356.95545,2542.01476 3352.75,2544.78523 C3348.54455,2547.5557 3343.43801,2549.78408 3337.43023,2551.47045 C3331.42245,2553.15683 3324.69384,2554 3317.24419,2554 Z M3316.34302,2475.76477 C3321.99034,2475.76477 3326.76645,2473.89775 3330.67151,2470.16364 C3334.57657,2466.42953 3336.52907,2461.37049 3336.52907,2454.98636 C3336.52907,2451.97498 3335.98838,2449.20456 3334.90698,2446.675 C3333.82558,2444.14544 3332.38373,2441.97728 3330.5814,2440.17045 C3328.77906,2438.36363 3326.64633,2436.9483 3324.18314,2435.92443 C3321.71995,2434.90056 3319.1066,2434.38864 3316.34302,2434.38864 C3313.57944,2434.38864 3310.9661,2434.90056 3308.50291,2435.92443 C3306.03972,2436.9483 3303.90699,2438.36363 3302.10465,2440.17045 C3300.30232,2441.97728 3298.86047,2444.14544 3297.77907,2446.675 C3296.69767,2449.20456 3296.15698,2451.97498 3296.15698,2454.98636 C3296.15698,2461.37049 3298.13952,2466.42953 3302.10465,2470.16364 C3306.06979,2473.89775 3310.81586,2475.76477 3316.34302,2475.76477 Z M3318.32558,2543.15909 C3323.37212,2543.15909 3327.93796,2542.67728 3332.02326,2541.71364 C3336.10855,2540.75 3339.59301,2539.45512 3342.47674,2537.82898 C3345.36048,2536.20283 3347.55329,2534.33581 3349.05523,2532.22784 C3350.55718,2530.11988 3351.30814,2527.9216 3351.30814,2525.63295 C3351.30814,2521.41702 3349.65602,2518.58637 3346.35174,2517.14091 C3343.04746,2515.69545 3338.03104,2514.97273 3331.30233,2514.97273 L3314.18023,2514.97273 C3311.65696,2514.97273 3309.28393,2514.88239 3307.06105,2514.7017 C3304.83817,2514.52102 3302.76551,2514.12955 3300.84302,2513.52727 C3296.63758,2515.81592 3293.72385,2518.19487 3292.10174,2520.6642 C3290.47964,2523.13354 3289.6686,2525.63294 3289.6686,2528.1625 C3289.6686,2532.7398 3292.10172,2536.38351 3296.96802,2539.09375 C3301.83433,2541.80399 3308.95344,2543.15909 3318.32558,2543.15909 Z M3431.51163,2515.69545 C3424.90307,2515.69545 3418.74518,2514.6716 3413.03779,2512.62386 C3407.3304,2510.57613 3402.34401,2507.56479 3398.07849,2503.58977 C3393.81296,2499.61475 3390.44866,2494.76651 3387.98547,2489.04489 C3385.52227,2483.32327 3384.2907,2476.78867 3384.2907,2469.44091 C3384.2907,2462.33406 3385.52227,2455.95003 3387.98547,2450.28864 C3390.44866,2444.62724 3393.75289,2439.80911 3397.89826,2435.83409 C3402.04363,2431.85907 3406.7897,2428.81762 3412.13663,2426.70966 C3417.48355,2424.60169 3423.10075,2423.54773 3428.98837,2423.54773 C3435.23647,2423.54773 3440.85366,2424.54147 3445.84012,2426.52898 C3450.82658,2428.51649 3455.03196,2431.31703 3458.4564,2434.93068 C3461.88083,2438.54434 3464.49418,2442.88066 3466.29651,2447.93977 C3468.09885,2452.99889 3469,2458.59997 3469,2464.74318 C3469,2466.42955 3468.93992,2468.05567 3468.81977,2469.62159 C3468.69961,2471.18751 3468.51938,2472.57272 3468.27907,2473.77727 L3399.25,2473.77727 C3400.21125,2483.77505 3403.8459,2491.27327 3410.15407,2496.27216 C3416.46224,2501.27105 3424.18212,2503.77045 3433.31395,2503.77045 C3438.6008,2503.77045 3443.37692,2503.01762 3447.64244,2501.51193 C3451.90797,2500.00624 3456.02324,2497.98865 3459.98837,2495.45909 L3465.39535,2505.21591 C3461.06975,2508.10683 3456.1134,2510.57613 3450.52616,2512.62386 C3444.93893,2514.6716 3438.60081,2515.69545 3431.51163,2515.69545 Z M3429.34884,2435.29205 C3425.74417,2435.29205 3422.28975,2435.89431 3418.98547,2437.09886 C3415.68119,2438.30342 3412.70738,2440.01988 3410.06395,2442.2483 C3407.42053,2444.47672 3405.19768,2447.27726 3403.39535,2450.65 C3401.59301,2454.02274 3400.3314,2457.87725 3399.61047,2462.21364 L3455.48256,2462.21364 C3454.88178,2453.1795 3452.26843,2446.43411 3447.64244,2441.97727 C3443.01645,2437.52043 3436.91864,2435.29205 3429.34884,2435.29205 Z" id="Page" fill="#000000"></path>
+                                    <path d="M3396,3002.17284 L3396,2970.55556 L3474.29582,2803 L3511.75563,2803 L3432.49518,2970.55556 L3493.7492,2970.55556 L3493.7492,2903.30864 L3527.35048,2903.30864 L3527.35048,2970.55556 L3546,2970.55556 L3546,3002.17284 L3527.35048,3002.17284 L3527.35048,3037 L3493.7492,3037 L3493.7492,3002.17284 L3396,3002.17284 Z M3202,2971.55061 L3202,2868.2888 C3202.21443,2846.66206 3209.12972,2830.014 3222.74607,2818.34413 C3235.5047,2806.78132 3250.72905,2801 3268.41959,2801 C3286.6462,2801 3302.13859,2806.78132 3314.89722,2818.34413 C3327.87028,2830.014 3334.57114,2846.66206 3335,2868.2888 L3335,2971.55061 C3334.57114,2993.07028 3327.87028,3009.66481 3314.89722,3021.33468 C3302.13859,3032.89749 3286.6462,3038.78587 3268.41959,3039 C3250.72905,3038.78587 3235.5047,3032.89749 3222.74607,3021.33468 C3209.12972,3009.66481 3202.21443,2993.07028 3202,2971.55061 Z M3301.38815,2969.62348 C3300.74486,2993.28442 3289.75545,3005.22177 3268.41959,3005.4359 C3246.97652,3005.22177 3236.04071,2993.28442 3235.61185,2969.62348 L3235.61185,2870.37652 C3236.04071,2846.92971 3246.97652,2834.99235 3268.41959,2834.5641 C3289.75545,2834.99235 3300.74486,2846.92971 3301.38815,2870.37652 L3301.38815,2969.62348 Z M2990,3002.17284 L2990,2970.55556 L3068.29582,2803 L3105.75563,2803 L3026.49518,2970.55556 L3087.7492,2970.55556 L3087.7492,2903.30864 L3121.35048,2903.30864 L3121.35048,2970.55556 L3140,2970.55556 L3140,3002.17284 L3121.35048,3002.17284 L3121.35048,3037 L3087.7492,3037 L3087.7492,3002.17284 L2990,3002.17284 Z" id="notFound" fill="#000000"></path>
+                                    <path d="M582.4375,4792.43333 C903.798189,4792.43333 1164.3125,4531.89291 1164.3125,4210.5 C1164.3125,3889.10709 903.798189,3628.56667 582.4375,3628.56667 C261.076811,3628.56667 0.5625,3889.10709 0.5625,4210.5 C0.5625,4531.89291 261.076811,4792.43333 582.4375,4792.43333 Z M582.4375,4418.33333 C467.641875,4418.33333 374.625,4325.30713 374.625,4210.5 C374.625,4095.69287 467.641875,4002.66667 582.4375,4002.66667 C629.070625,4002.66667 672.129375,4018.04633 706.7925,4043.9008 M582.4375,3628.56667 L1330.5625,3628.56667 C1651.92375,3628.56667 1912.4375,3889.10653 1912.4375,4210.5 C1912.4375,4531.89347 1651.92375,4792.43333 1330.5625,4792.43333 L582.4375,4792.43333 M249.77125,4459.73373 C325.58125,4560.74073 446.361875,4626.16667 582.4375,4626.16667 C812.02875,4626.16667 998.0625,4440.11427 998.0625,4210.5 C998.0625,3980.88573 812.02875,3794.83333 582.4375,3794.83333 M1108.28625,4459.9 L1413.6875,4459.9 M1372.125,4210.5 L1496.8125,4210.5 M1704.625,4127.36667 L1906.53562,4127.36667 M1856.41125,3961.1 L1496.8125,3961.1 M582.4375,4168.93333 L582.4375,4252.06667" id="wood-stump" stroke="#000000" strokeWidth="40" strokeLinecap="round" strokeLinejoin="round"></path>
+                                </g>
+                            </g>
+                        </svg>
+                    </>
+                )}
+            </div>
+        </div>
+    )
+}
+
+export default FZF
             <xml version="1.0" encoding="UTF-8" />
             <svg class="page404" viewBox="0 0 5059 4833" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlnsXlink="http://www.w3.org/1999/xlink">
                 <g id="Page-1" stroke="none" strokeWidth="1" fill="none" fill-rule="evenodd">
diff --git a/frontend/src/Utils/hostDetection.js b/frontend/src/Utils/hostDetection.js
new file mode 100644
index 0000000..ee6f7dc
--- /dev/null
+++ b/frontend/src/Utils/hostDetection.js
@@ -0,0 +1,94 @@
+/**
+ * Host Detection Utility
+ * 
+ * Erkennt, ob App auf public oder internal Host läuft
+ * Basiert auf window.location.hostname + env-config
+ * 
+ * @module Utils/hostDetection
+ */
+
+/**
+ * Hole Host-Konfiguration und Feature-Flags
+ * @returns {Object} Host-Config mit Feature-Flags
+ */
+export const getHostConfig = () => {
+    const hostname = window.location.hostname;
+    
+    // Hole Hosts aus Runtime-Config (wird von env.sh beim Container-Start gesetzt)
+    const publicHost = window._env_?.PUBLIC_HOST || 'deinprojekt.hobbyhimmel.de';
+    const internalHost = window._env_?.INTERNAL_HOST || 'deinprojekt.lan.hobbyhimmel.de';
+
+    // Bestimme Host-Typ
+    const isPublic = hostname === publicHost;
+    const isInternal = hostname === internalHost || hostname === 'localhost' || hostname === '127.0.0.1';
+
+    // Feature Flags basierend auf Host
+    return {
+        hostname,
+        publicHost,
+        internalHost,
+        isPublic,
+        isInternal,
+        
+        // Feature Flags
+        canAccessAdmin: isInternal,
+        canAccessSlideshow: isInternal,
+        canAccessGroups: isInternal,
+        canAccessModeration: isInternal,
+        canAccessReorder: isInternal,
+        canAccessBatchUpload: isInternal,
+        canAccessSocialMedia: isInternal,
+        canAccessMigration: isInternal,
+        
+        // Immer erlaubt (public + internal)
+        canUpload: true,
+        canManageByUUID: true
+    };
+};
+
+/**
+ * Prüft, ob App auf public Host läuft
+ * @returns {boolean} True wenn public Host
+ */
+export const isPublicHost = () => {
+    return getHostConfig().isPublic;
+};
+
+/**
+ * Prüft, ob App auf internal Host läuft
+ * @returns {boolean} True wenn internal Host
+ */
+export const isInternalHost = () => {
+    return getHostConfig().isInternal;
+};
+
+/**
+ * Hole spezifisches Feature-Flag
+ * @param {string} featureName - Name des Features (z.B. 'canAccessAdmin')
+ * @returns {boolean} True wenn Feature erlaubt
+ */
+export const canAccessFeature = (featureName) => {
+    const config = getHostConfig();
+    return config[featureName] || false;
+};
+
+/**
+ * Debug-Funktion: Logge Host-Config in Console
+ * Nur in Development
+ */
+export const logHostConfig = () => {
+    if (process.env.NODE_ENV === 'development') {
+        const config = getHostConfig();
+        console.log('🔍 Host Configuration:', {
+            hostname: config.hostname,
+            isPublic: config.isPublic,
+            isInternal: config.isInternal,
+            features: {
+                admin: config.canAccessAdmin,
+                slideshow: config.canAccessSlideshow,
+                groups: config.canAccessGroups,
+                moderation: config.canAccessModeration
+            }
+        });
+    }
+};