{
	admin off
	persist_config off
	auto_https off

	log {
		format json
	}

	servers {
		trusted_proxies static private_ranges
	}
}

:{$PORT:80} {
	log {
		format json
	}

	respond /health 200

	# Security headers
	header {
		# Enable cross-site filter (XSS) and tell browsers to block detected attacks
		X-XSS-Protection "1; mode=block"
		# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
		X-Content-Type-Options "nosniff"
		# Keep referrer data off of HTTP connections
		Referrer-Policy "strict-origin-when-cross-origin"
		# Enable strict Content Security Policy
		Content-Security-Policy "default-src 'self'; img-src 'self' data: https: *; style-src 'self' 'unsafe-inline' https: *; script-src 'self' 'unsafe-inline' https: *; font-src 'self' data: https: *; connect-src 'self' https: *; media-src 'self' https: *; object-src 'none'; frame-src 'self' https: *;"
		# Remove Server header
		-Server
	}

	root * .

	# Handle static files
	file_server {
		hide .git
		hide .env*
	}

	# Compression with more formats
	encode {
		gzip
		zstd
	}

	# Try files with HTML extension and handle SPA routing
	try_files {path} {path}.html {path}/index.html /index.html

	# Handle 404 errors
	handle_errors {
		rewrite * /{err.status_code}.html
		file_server
	}
}