server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; media-src 'self' blob:; connect-src 'self'; font-src 'self';" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; # API proxy to backend location /api/ { resolver 127.0.0.11 valid=10s; set $backend http://backend:8000; proxy_pass $backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Large file uploads client_max_body_size 500M; proxy_request_buffering off; proxy_read_timeout 600s; } # SPA fallback location / { try_files $uri $uri/ /index.html; } }