server {
    listen 80;
    server_name _;

    root /usr/share/nginx/html;
    index index.html;

    # Never cache config.js / html so runtime config updates take effect.
    location = /config.js { add_header Cache-Control "no-store"; try_files $uri =404; }
    location ~* \.html$    { add_header Cache-Control "no-store"; try_files $uri =404; }

    location / {
        # Try files with or without .html, then fallback to index
        try_files $uri $uri.html $uri/ /index.html;
    }

    # Static assets: images/fonts can be cached, JS/CSS must revalidate.
    location ~* \.(?:jpg|jpeg|png|webp|svg|ico|woff2?)$ {
        expires 7d;
        add_header Cache-Control "public";
        try_files $uri =404;
    }
    # CSS/JS: no cache to prevent stale content during development
    location ~* \.(?:css|js)$ {
        add_header Cache-Control "no-store";
        try_files $uri =404;
    }

    # SEO files - cache for 1 week
    location = /robots.txt {
        add_header Cache-Control "public, max-age=604800";
        try_files $uri =404;
    }
    location = /sitemap.xml {
        add_header Cache-Control "public, max-age=604800";
        add_header Content-Type "application/xml";
        try_files $uri =404;
    }

    # Enable gzip compression for text-based content
    gzip on;
    gzip_types text/plain text/css text/xml text/javascript application/xml application/rss+xml application/javascript application/json;
    gzip_min_length 1000;
    gzip_comp_level 5;
    gzip_vary on;
    gzip_disable "msie6";

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # Content Security Policy - permissive for dynamic content
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://esm.sh https://fonts.googleapis.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'self';" always;

    # Permissions policy (formerly Feature Policy)
    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;

    # Performance: Enable HTTP Keep-Alive
    keepalive_timeout 65;
    keepalive_requests 100;

    # Error pages
    error_page 404 /index.html;
    error_page 500 502 503 504 /index.html;
}