default.conf

server {
  listen 80;
  server_name _;

  # Set client max body size
  client_max_body_size 20M;

  # Serve static files with caching
  location / {
    root /usr/share/nginx/html;
    try_files $uri $uri/ /index.html;
    
    # Cache busting for index.html
    location = /index.html {
      add_header Cache-Control "no-cache, no-store, must-revalidate";
      add_header Pragma "no-cache";
      add_header Expires "0";
    }
    
    # Cache static assets
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
      add_header Cache-Control "public, max-age=31536000, immutable";
      expires 1y;
    }
  }

  # Security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

  # CORS headers
  map $http_origin $cors_origin {
    default "";
    "~^https?://(www\.)?espacogeek\.com(:\d+)?$" $http_origin;
  }
  # Set the origin header dynamically when the origin matches the allowed pattern
  add_header Access-Control-Allow-Origin $cors_origin always;
  add_header Access-Control-Allow-Credentials "true" always;
  add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
  add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always;
  add_header Access-Control-Max-Age "86400" always;
  add_header Vary "Origin" always;

  # Handle OPTIONS requests
  if ($request_method = 'OPTIONS') {
    return 204;
  }

  # Deny access to hidden files
  location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
  }

  # Error pages
  error_page 404 /index.html;
  error_page 500 502 503 504 /index.html;
}