diff --git a/CHANGELOG.md b/CHANGELOG.md
index a7d788d..d8bc171 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,14 +9,16 @@
 - [README](https://github.com/flatpressblog/flatpress/blob/master/README.md): added "help and support" section
 
 ## Plugins
-- Gallery captions plugin added ([#108](https://github.com/flatpressblog/flatpress/issues/108))
-- PhotoSwipe plugin added ([#109](https://github.com/flatpressblog/flatpress/issues/109))
-- SEO Meta Tag Info plugin added ([#145](https://github.com/flatpressblog/flatpress/issues/145))
+- PhotoSwipe plugin added: Displays images and galleries with [PhotoSwipe](https://photoswipe.com/) ([#109](https://github.com/flatpressblog/flatpress/issues/109))
+- Gallery captions plugin added: Manages image captions for gallery images ([#108](https://github.com/flatpressblog/flatpress/issues/108))
+- SEO Meta Tag Info plugin added: Manages SEO meta tags ([#145](https://github.com/flatpressblog/flatpress/issues/145))
+- FlatPress Protect plugin added: Adds HTTP headers for hardening your blog ([#146](https://github.com/flatpressblog/flatpress/issues/146))
 - jQuery plugin: Updated jQuery (3.5.1 => 3.6.1) and jQueryUI (1.12.1 => 1.13.2)
 - Media Manager plugin shows 50 items per page, not 10
 - LastCommentsAdmin plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43))
-- Fixed errors on the Comment Center config page ([#90](https://github.com/flatpressblog/flatpress/issues/90))
-- Fixed PHP warnings in Akismet plugin ([#83](https://github.com/flatpressblog/flatpress/issues/83))
+- Comment Center plugin: Fixed errors on the config page ([#90](https://github.com/flatpressblog/flatpress/issues/90))
+- Comment Center plugin: Fixed error on sending mails with umlaut subjects ([#211](https://github.com/flatpressblog/flatpress/issues/211))
+- Akismet plugin: Fixed PHP warnings ([#83](https://github.com/flatpressblog/flatpress/issues/83))
 - BBCode plugin: Allows local video files ("attachs/video.mp4") and outputs valid HTML ([#192](https://github.com/flatpressblog/flatpress/issues/192))
 
 ## Themes
@@ -44,6 +46,7 @@
 - Logout redirects to home page again ([#119](https://github.com/flatpressblog/flatpress/issues/119))
 - Fixed disappearing non-Latin characters in page title ([#49](https://github.com/flatpressblog/flatpress/issues/49) and [#91](https://github.com/flatpressblog/flatpress/issues/91))
 - Worked around strftime() marked as deprecated as of PHP 8.1 ([#92](https://github.com/flatpressblog/flatpress/issues/92)) - thx @bohwaz
+- Comments: Fixed error on sending mails with umlaut subjects ([#209](https://github.com/flatpressblog/flatpress/issues/209))
 
 ## Security
 - Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags
diff --git a/comments.php b/comments.php
index b461d07..405920f 100644
--- a/comments.php
+++ b/comments.php
@@ -222,7 +222,8 @@ function commentform() {
 					$fp_config ['general'] ['title']
 				), $lang ['comments'] ['mail']);
 
-				@utils_mail($from_mail, "{$lang ['comments'] ['newcomment']} {$lang ['comments'] ['newcomment']} {$fp_config['general']['title']}", $mail);
+				// for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64 and splits the encrypted subject
+				@utils_mail($from_mail, '=?utf-8?B?' . base64_encode($lang ['comments'] ['newcomment']) . '=?= =?utf-8?B?' . base64_encode($fp_config ['general'] ['title']) . '==?=', $mail);
 			}
 
 			// if comment is valid, this redirect will clean the postdata
diff --git a/defaults.php b/defaults.php
index 35bb611..439c190 100755
--- a/defaults.php
+++ b/defaults.php
@@ -124,6 +124,7 @@ $serverport = "false";
 // Unterstützung für Apache und IIS
 ini_set('session.cookie_secure', 1);
 ini_set('session.cookie_httponly', 1);
+ini_set('session.cookie_samesite', 'Lax');
 if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
 	$serverport = "https://";
 } else {
diff --git a/fp-interface/lang/cs-cz/lang.comments.php b/fp-interface/lang/cs-cz/lang.comments.php
index 53ad92d..d687941 100644
--- a/fp-interface/lang/cs-cz/lang.comments.php
+++ b/fp-interface/lang/cs-cz/lang.comments.php
@@ -11,6 +11,6 @@ S pozdravem %blogtitle%
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'Nový komentář k';
+$lang ['comments'] ['newcomment'] = 'Nový komentář k ';
 
 ?>
diff --git a/fp-interface/lang/de-de/lang.comments.php b/fp-interface/lang/de-de/lang.comments.php
index aaec3f1..eed2a6f 100644
--- a/fp-interface/lang/de-de/lang.comments.php
+++ b/fp-interface/lang/de-de/lang.comments.php
@@ -16,6 +16,6 @@ Automatisch generiert von,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf';
+$lang ['comments'] ['newcomment'] = 'Neuer Kommentar auf ';
 
 ?>
diff --git a/fp-interface/lang/el-gr/lang.comments.php b/fp-interface/lang/el-gr/lang.comments.php
index 7838214..d15cc34 100644
--- a/fp-interface/lang/el-gr/lang.comments.php
+++ b/fp-interface/lang/el-gr/lang.comments.php
@@ -16,6 +16,6 @@ $lang ['comments'] ['mail'] = 'Αγαπητέ/η %toname%,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο';
+$lang ['comments'] ['newcomment'] = 'νέο σχόλιο στο ';
 
 ?>
diff --git a/fp-interface/lang/en-us/lang.comments.php b/fp-interface/lang/en-us/lang.comments.php
index 4c25b9f..e54ecb6 100644
--- a/fp-interface/lang/en-us/lang.comments.php
+++ b/fp-interface/lang/en-us/lang.comments.php
@@ -16,6 +16,6 @@ All the best,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'New comment on';
+$lang ['comments'] ['newcomment'] = 'New comment on ';
 
 ?>
diff --git a/fp-interface/lang/es-es/lang.comments.php b/fp-interface/lang/es-es/lang.comments.php
index d151203..21d4e4a 100644
--- a/fp-interface/lang/es-es/lang.comments.php
+++ b/fp-interface/lang/es-es/lang.comments.php
@@ -16,6 +16,6 @@ Todo lo mejor,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre';
+$lang ['comments'] ['newcomment'] = 'Nuevo comentario sobre ';
 
 ?>
diff --git a/fp-interface/lang/fr-fr/lang.comments.php b/fp-interface/lang/fr-fr/lang.comments.php
index b82c22a..d3eea62 100644
--- a/fp-interface/lang/fr-fr/lang.comments.php
+++ b/fp-interface/lang/fr-fr/lang.comments.php
@@ -16,6 +16,6 @@ Cordialement,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur';
+$lang ['comments'] ['newcomment'] = 'Nouveau commentaire sur ';
 
 ?>
diff --git a/fp-interface/lang/it-it/lang.comments.php b/fp-interface/lang/it-it/lang.comments.php
index 825f6ee..6990eb6 100644
--- a/fp-interface/lang/it-it/lang.comments.php
+++ b/fp-interface/lang/it-it/lang.comments.php
@@ -16,6 +16,6 @@ Saluti,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'Nuovo commento su';
+$lang ['comments'] ['newcomment'] = 'Nuovo commento su ';
 
 ?>
diff --git a/fp-interface/lang/ja-jp/lang.comments.php b/fp-interface/lang/ja-jp/lang.comments.php
index e74b026..cc52838 100644
--- a/fp-interface/lang/ja-jp/lang.comments.php
+++ b/fp-interface/lang/ja-jp/lang.comments.php
@@ -19,6 +19,6 @@ $lang ['comments'] ['mail'] = '%toname% さま,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'の新しいコメント';
+$lang ['comments'] ['newcomment'] = 'の新しいコメント ';
 
 ?>
diff --git a/fp-interface/lang/nl-nl/lang.comments.php b/fp-interface/lang/nl-nl/lang.comments.php
index 9a096aa..8297766 100644
--- a/fp-interface/lang/nl-nl/lang.comments.php
+++ b/fp-interface/lang/nl-nl/lang.comments.php
@@ -16,6 +16,6 @@ Groeten,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op';
+$lang ['comments'] ['newcomment'] = 'Nieuw commentaar op ';
 
 ?>
diff --git a/fp-interface/lang/pt-br/lang.comments.php b/fp-interface/lang/pt-br/lang.comments.php
index 0fcbd7f..0bc86d4 100644
--- a/fp-interface/lang/pt-br/lang.comments.php
+++ b/fp-interface/lang/pt-br/lang.comments.php
@@ -17,6 +17,6 @@ Um abraço,
 
 ';
 
-$lang ['comments'] ['newcomment'] = 'Novo comentário em';
+$lang ['comments'] ['newcomment'] = 'Novo comentário em ';
 
 ?>
diff --git a/fp-plugins/commentcenter/plugin.commentcenter.php b/fp-plugins/commentcenter/plugin.commentcenter.php
index 9df6c0f..966d4b1 100644
--- a/fp-plugins/commentcenter/plugin.commentcenter.php
+++ b/fp-plugins/commentcenter/plugin.commentcenter.php
@@ -438,7 +438,8 @@ class plugin_commentcenter {
 			$fp_config ['general'] ['title']
 		), $text);
 
-		return @utils_mail($from_mail, $subject, $text);
+		// for non-ASCII characters in the e-mail header use RFC 1342 — Encodes data with MIME base64
+		return @utils_mail($from_mail, '=?utf-8?B?' . base64_encode($subject) . '?=', $text);
 	}
 
 }
diff --git a/fp-plugins/fpprotect/doc_fpprotect.txt b/fp-plugins/fpprotect/doc_fpprotect.txt
new file mode 100644
index 0000000..7ffef12
--- /dev/null
+++ b/fp-plugins/fpprotect/doc_fpprotect.txt
@@ -0,0 +1,16 @@
+FlatPress Protect
+=================
+
+Description
+-----------
+Protect your blog with additional fetures in the HTTP response header
+
+ * Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources for approved content, you can prevent the browser from loading malicious content.
+ * Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
+ * HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
+ * The X-Download-Options response header instructs the browser not to open the file directly but to offer it for download first. This mitigates some potential Social Engineering attacks.
+ * HTTP Strict Transport Security (HSTS for short) is a security mechanism for HTTPS connections that protects against both connection encryption downgrade attack and session hijacking.
+ * The referrer policy directive determines whether, and if so which, referrer information for requests triggered by the current web page is sent by the web browser in HTTP requests.
+
+Here you can check the security of your Flatpress blog
+https://securityheaders.com/
diff --git a/fp-plugins/fpprotect/plugin.fpprotect.php b/fp-plugins/fpprotect/plugin.fpprotect.php
new file mode 100644
index 0000000..b30346b
--- /dev/null
+++ b/fp-plugins/fpprotect/plugin.fpprotect.php
@@ -0,0 +1,23 @@
+<?php
+/*
+ * Plugin Name: FlatPress Protect
+ * Plugin URI: http://www.flatpress.org/
+ * Description: Protect your blog with additional fetures in the HTTP response header. <a href="./fp-plugins/fpprotect/doc_fpprotect.txt" title="More information" target="_blank">[More information]</a>
+ * Author: FlatPress
+ * Version: 1.0
+ * Author URI: https://www.flatpress.org
+ */
+
+// Content Security Policy rules for Youtube, Facebook and Vimeo embedded video / BBCode [video], embedded OSM
+header('Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
+header('X-Content-Security-Policy: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
+header('X-WebKit-CSP: default-src \'self\';frame-src \'self\' youtube-nocookie.com www.youtube-nocookie.com facebook.com www.facebook.com player.vimeo.com data:; base-uri \'self\'; font-src \'self\' data:; script-src \'self\' \'unsafe-inline\' \'unsafe-eval\' connect.facebook.net player.vimeo.com blob:; style-src \'self\' \'unsafe-inline\' openlayers.org; img-src \'self\' openlayers.org tile.openstreetmap.org data: blob:; frame-ancestors \'self\'; manifest-src \'self\'; worker-src \'self\' blob:; connect-src \'self\' openlayers.org blob:; media-src \'self\' blob:; child-src \'self\' blob:; form-action \'self\';');
+// End of Content Security Policy rules
+header('Feature-Policy: interest-cohort \'none\'; autoplay \'self\'; camera \'self\'; fullscreen \'self\'; geolocation \'self\'; microphone \'self\'; payment \'none\';'); // Goodbye Feature Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
+header('Permissions-Policy: interest-cohort=(), autoplay=(self), camera=(self), fullscreen=(self), geolocation=(self), microphone=(self), payment=(),'); // Hello Permissions Policy! // thx Nextcloud-Maps-App, github.com/nextcloud
+header('Referrer-Policy: strict-origin-when-cross-origin');
+header('Strict-Transport-Security: max-age=15552000; includeSubDomains');
+header('X-Permitted-Cross-Domain-Policies: none');
+header('X-Download-Options: noopen');
+?>
+