only add security headers when using https -> to work with tor hidden service

.htaccess

@@ -94,11 +94,14 @@ DirectoryIndex index.php index.html index.htm
 #add CSP (report only)
 <IfModule mod_headers.c>
 #Header set Content-Security-Policy-Report-Only  "default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://csrichter.report-uri.com/r/d/csp/wizard"
-Header set Content-Security-Policy "form-action 'self'; img-src 'self' data: www.gravatar.com https://baptisten-hohenacker.de/piwikCR/piwik.php; frame-src 'self' www.openstreetmap.org; style-src 'self' 'unsafe-inline'; connect-src 'self' getgrav.org; media-src 'self'; font-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://baptisten-hohenacker.de 'report-sample';upgrade-insecure-requests; report-uri https://csrichter.report-uri.com/r/d/csp/enforce"
+Header set Content-Security-Policy "form-action 'self'; img-src 'self' data: www.gravatar.com https://baptisten-hohenacker.de/piwikCR/piwik.php; frame-src 'self' www.openstreetmap.org; style-src 'self' 'unsafe-inline'; connect-src 'self' getgrav.org; media-src 'self'; font-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://baptisten-hohenacker.de 'report-sample';upgrade-insecure-requests; report-uri https://csrichter.report-uri.com/r/d/csp/enforce" env=HTTPS
 #TODO: move img-src data: and unsave-eval to separate file in /piwikCR
+
+#set HSTS, but only for TLS connections
+Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;preload" env=HTTPS
+
 Header set X-XSS-Protection "1; report=https://csrichter.report-uri.com/r/d/xss/enforce"
 Header set Referrer-Policy "strict-origin-when-cross-origin"
-Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;preload"
 
 Header set X-Frame-Options "SAMEORIGIN"
 Header set X-Content-Type-Options "nosniff"