server {
  listen 80;
  server_name _;
  root /usr/share/nginx/html;
  index index.html;

  # Security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

  # Hashed asset bundles — long cache, immutable
  location /assets/ {
    expires 1y;
    add_header Cache-Control "public, immutable";
    try_files $uri =404;
  }

  # Public images and other static files
  location ~* \.(?:jpg|jpeg|png|gif|webp|svg|ico|woff2?|ttf)$ {
    expires 30d;
    add_header Cache-Control "public";
    try_files $uri =404;
  }

  # SPA fallback — any non-asset path serves index.html so future
  # client-side routing works without 404s.
  location / {
    try_files $uri $uri/ /index.html;
  }

  # Don't serve dotfiles
  location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
  }

  gzip on;
  gzip_vary on;
  gzip_min_length 1024;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
}