diff --git a/infra/marketing-vps/Caddyfile b/infra/marketing-vps/Caddyfile
index 1072c54..6d3ee6b 100644
--- a/infra/marketing-vps/Caddyfile
+++ b/infra/marketing-vps/Caddyfile
@@ -1,112 +1,54 @@
-# Marketing-VPS Caddyfile — wird auf marketing.digiformer.eu deployt
-#
-# Eine Caddy-Instanz hostet alle statischen Marken-Sites über file_server.
-# Per-Marke ein Block. Jede Marke hat ihren eigenen Verzeichnis-Tree unter /var/www/<domain>/.
-# Forgejo Actions rsync't den Astro-Build-Output dorthin.
-
-{
-  # globale Optionen
-  email pascal.oelmann@digiformer.net
-  servers {
-    metrics  # Prometheus-Endpoint :2019/metrics für späteres Monitoring
-  }
-}
-
-# — slimcore.io —
-slimcore.io, www.slimcore.io {
-  root * /var/www/slimcore.io
-  encode zstd gzip
-
+# Common security headers as snippet
+(security_headers) {
   header {
-    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+    Strict-Transport-Security "max-age=31536000; includeSubDomains"
     X-Content-Type-Options nosniff
     Referrer-Policy strict-origin-when-cross-origin
-    Permissions-Policy "interest-cohort=()"
     -Server
   }
-
-  # Astro generiert echte HTML-Files für jede Route, kein SPA-Fallback nötig
-  # /index.html, /en/index.html, /module/index.html, /en/module/index.html, etc.
-  file_server
-
-  # Sitemap, robots.txt, OG-Image direkt aus dem Root
-  @static_root path /sitemap-*.xml /robots.txt /favicon.svg /og-default.png
-  handle @static_root {
-    file_server
-  }
-
-  # Cache-Header pro Asset-Typ
-  @assets path /_astro/* /fonts/*
-  handle @assets {
-    header Cache-Control "public, max-age=31536000, immutable"
-  }
-
-  @html path *.html /
-  handle @html {
-    header Cache-Control "public, max-age=300, must-revalidate"
-  }
-
-  # Redirects — sollten in Astro-Site selbst leben, aber als Sicherheits-Netz hier
-  redir /home / permanent
-  redir /index / permanent
-
-  log {
-    output file /var/log/caddy/slimcore.io.log {
-      roll_size 100MiB
-      roll_keep 14
-    }
-    format json
-  }
 }
 
-# — digiformer.eu — (sobald migriert)
+slimcore.io, www.slimcore.io {
+  root * /var/www/slimcore.io
+  try_files {path} {path}/ /index.html
+  file_server
+  encode zstd gzip
+  import security_headers
+
+  # Pre-Launch: Basic-Auth fuer die ganze Site (User: demo / Pass: demo)
+  # Entfernen, sobald die Seite oeffentlich gehen soll.
+  basic_auth {
+    demo $2a$14$FQAC7jJWZnGJzPxNtCIkWOSrYDazfp6/bZR9oNl8IoZmOTh89wF.6
+  }
+  # Solange die Site nicht oeffentlich ist, soll sie auch nicht indexiert werden:
+  header X-Robots-Tag "noindex, nofollow"
+}
+
 digiformer.eu, www.digiformer.eu {
   root * /var/www/digiformer.eu
-  encode zstd gzip
-  header Strict-Transport-Security "max-age=31536000; includeSubDomains"
+  try_files {path} {path}/ /index.html
   file_server
-  log {
-    output file /var/log/caddy/digiformer.eu.log
-  }
+  encode zstd gzip
+  import security_headers
 }
 
-# — slimsafe.io — (sobald Marketing-Site existiert)
 slimsafe.io, www.slimsafe.io {
   root * /var/www/slimsafe.io
-  encode zstd gzip
-  header Strict-Transport-Security "max-age=31536000"
+  try_files {path} {path}/ /index.html
   file_server
-  log {
-    output file /var/log/caddy/slimsafe.io.log
-  }
+  encode zstd gzip
+  import security_headers
 }
 
-# — fonboard.io — (sobald Marketing-Site existiert)
 fonboard.io, www.fonboard.io {
   root * /var/www/fonboard.io
-  encode zstd gzip
-  header Strict-Transport-Security "max-age=31536000"
+  try_files {path} {path}/ /index.html
   file_server
-  log {
-    output file /var/log/caddy/fonboard.io.log
-  }
+  encode zstd gzip
+  import security_headers
 }
 
-# — Status-Page (intern, basicauth-geschützt) —
-status.digiformer.eu {
-  reverse_proxy 127.0.0.1:3001
-  basicauth {
-    # caddy hash-password generiert den bcrypt-Hash
-    # echtes Passwort beim Setup setzen
-    pascal $2a$14$REPLACE_WITH_BCRYPT_HASH
-  }
-}
-
-# Catch-all — unbekannte Hostnames bekommen 404, kein Default-Server
+# Catch-all for unknown hostnames hitting the IP directly
 :80 {
-  respond "Not Found" 404
-}
-
-:443 {
-  respond "Not Found" 404
+  respond "Not found" 404
 }