@@ -13,12 +13,6 @@ server {
1313 listen 80 ;
1414 server_name _;
1515
16- # Security headers
17- add_header X-Frame-Options "DENY" always;
18- add_header X-Content-Type-Options "nosniff" always;
19- add_header X-XSS-Protection "1; mode=block" always;
20- add_header Referrer-Policy "strict-origin-when-cross-origin" always;
21-
2216 # Gzip compression
2317 gzip on;
2418 gzip_vary on;
@@ -32,7 +26,7 @@ server {
3226 location /health {
3327 access_log off;
3428 return 200 "healthy\n " ;
35- add_header Content-Type text/plain;
29+ default_type text/plain;
3630 }
3731
3832 # WebSocket endpoint (proxy to backend)
@@ -101,24 +95,25 @@ server {
10195 root /usr/share/nginx/html;
10296 try_files $uri $uri / /index .html;
10397
104- # Cache static assets
105- location ~ * \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
106- expires 1y ;
107- add_header Cache-Control "public, immutable" ;
108- }
109-
110- # No cache for index.html
111- location = /index .html {
112- add_header Cache-Control "no-store, no-cache, must-revalidate" ;
113- }
98+ # Security headers
99+ add_header X-Frame-Options "DENY" always;
100+ add_header X-Content-Type-Options "nosniff" always;
101+ add_header X-XSS-Protection "1; mode=block" always;
102+ add_header Referrer-Policy "strict-origin-when-cross-origin" always;
114103 }
115104
116- # Assets directory (compiled JS/CSS)
105+ # Assets directory (compiled JS/CSS with long cache )
117106 location /assets/ {
118107 root /usr/share/nginx/html;
119108 expires 1y ;
120- add_header Cache-Control "public, immutable" ;
121109 access_log off;
110+
111+ # Security + caching headers
112+ add_header X-Frame-Options "DENY" always;
113+ add_header X-Content-Type-Options "nosniff" always;
114+ add_header X-XSS-Protection "1; mode=block" always;
115+ add_header Referrer-Policy "strict-origin-when-cross-origin" always;
116+ add_header Cache-Control "public, immutable" always;
122117 }
123118
124119 # Deny access to hidden files
0 commit comments