events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # Security headers add_header Content-Security-Policy "connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Gzip compression gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript image/svg+xml; gzip_min_length 1000; # Deny access to hidden/dot files (.env, .git, etc.) location ~ /\. { deny all; access_log off; log_not_found off; } # Cache static assets location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg|json)$ { expires 6M; access_log off; add_header Cache-Control "public, immutable"; } # Service worker - no cache location = /flutter_service_worker.js { expires -1; add_header Cache-Control "no-store, no-cache, must-revalidate"; } # SPA fallback: all requests that don't match a real file go to index.html location / { try_files $uri $uri/ /index.html; } } }