nginx.conf

server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;

    root   /usr/share/nginx/html;
    index  index.html;

    # MIME types — includes application/wasm required for WebAssembly streaming compilation
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Security headers
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Embedder-Policy "require-corp" always;

    # Gzip compression for text assets — skip WASM (already compressed by wasm-opt)
    gzip on;
    gzip_vary on;
    gzip_min_length 1000;
    gzip_comp_level 6;
    gzip_types text/html text/css application/javascript text/javascript;

    # Serve static files; fall back to index.html for any path not on disk
    # (SPA routing: direct URL access returns index.html, not 404)
    location / {
        try_files $uri $uri/ /index.html;
        add_header Cache-Control "no-cache";
    }

    # Vite content-hashed assets (JS, CSS, WASM) — serve with long-term cache headers
    # Content hash in filename guarantees cache busting on deployment
    location /assets/ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        # Re-assert security headers (add_header doesn't inherit inside nested location)
        add_header X-Content-Type-Options "nosniff" always;
        add_header Cross-Origin-Opener-Policy "same-origin" always;
        add_header Cross-Origin-Embedder-Policy "require-corp" always;
    }

    # Dedicated health check endpoint — lightweight, no body, no HTML
    location = /healthz {
        access_log off;
        return 200 "ok";
        add_header Content-Type text/plain;
    }

    # Disable access logs for health checks (optional)
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    error_page 404 /index.html;
}