server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # Security headers add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; location / { try_files $uri $uri/ /index.html; } # Cache static assets (hashed filenames — safe to cache forever) location /assets/ { expires 1y; add_header Cache-Control "public, immutable"; } # Don't cache index.html (SPA entry point must always be fresh) location = /index.html { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; add_header Expires "0"; } # Gzip gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript image/svg+xml; gzip_min_length 256; }