server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # Gzip compression (fallback for clients that don't support Brotli) gzip on; gzip_vary on; gzip_comp_level 6; gzip_min_length 256; gzip_proxied any; gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/wasm application/octet-stream image/svg+xml font/woff2; gzip_disable "MSIE [1-6]\."; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # NEVER cache index.html and service worker - always fetch fresh location = /index.html { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; add_header Expires "0"; } location = /sw.js { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; add_header Expires "0"; } location = /registerSW.js { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; add_header Expires "0"; } location = /manifest.webmanifest { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; add_header Expires "0"; } # Cache static assets with hashed filenames (immutable) location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; } # Handle SPA routing - all routes serve index.html location / { try_files $uri $uri/ /index.html; } # Health check endpoint location /health { return 200 'OK'; add_header Content-Type text/plain; } }