server {
    listen 80;

    server_name _;
    server_tokens off;

    root /usr/share/nginx/html;

    index index.html;

    # Baseline security hardening for a static SPA.
    # NOTE: add_header directives are NOT inherited by child location blocks that
    # define their own add_header. To avoid silently dropping security headers,
    # use the `expires` directive (not add_header Cache-Control) in location blocks.
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://backend.beammp.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;

    # Installer directory: serve files directly; return 404 for anything missing.
    location ^~ /installer/ {
        try_files $uri =404;
    }

    # Vite-hashed assets (JS, CSS, fonts, images): serve directly with a long cache.
    # These files have content hashes in their names so stale cache is never an issue.
    # Return 404 if a file is genuinely missing rather than silently serving index.html.
    location ~* \.(js|css|woff2?|ttf|eot|svg|webp|avif|png|jpg|jpeg|gif|ico|map)$ {
        try_files $uri =404;
        expires 1y;
        access_log off;
    }

    # Data / download files: serve directly, no client-side cache, 404 if missing.
    location ~* \.(json|txt|exe|zip)$ {
        try_files $uri =404;
        expires -1;
        access_log off;
    }

    # SPA fallback: all other paths go to index.html so Vue Router can render the
    # correct view (including the NotFound page for unknown routes).
    location / {
        try_files $uri /index.html;
    }
}