server { listen 3000; server_name localhost; # Security headers add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' http://localhost:8000 ws://localhost:*" always; # Gzip compression gzip on; gzip_vary on; gzip_min_length 1024; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/atom+xml; # Cache static assets location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; } # SPA fallback location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; # Cache index.html for short time location = /index.html { expires 5m; add_header Cache-Control "no-cache, must-revalidate"; } } # Health check endpoint location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } }