:80 {
    root * /srv
    file_server

    encode gzip zstd

    header {
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        Referrer-Policy "strict-origin-when-cross-origin"
        Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'"
        Permissions-Policy "geolocation=(), microphone=(), camera=()"
    }

    @static {
        path *.css *.js *.png *.jpg *.jpeg *.gif *.webp *.svg *.woff *.woff2 *.ttf
    }
    header @static Cache-Control "public, max-age=31536000, immutable"

    @html {
        path *.html /
    }
    header @html Cache-Control "public, max-age=0, must-revalidate"

    try_files {path} /index.html

    handle_errors {
        rewrite * /index.html
        file_server
    }

    log {
        output stdout
        format console
    }
}
