server {
    listen 80;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;
    charset utf-8;

    # Security headers
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    # HTML — no cache (easy updates)
    location = /index.html {
        add_header Cache-Control "no-cache, must-revalidate";
        add_header X-Content-Type-Options "nosniff";
    }

    # PDF — short cache, force download header
    location ~* \.pdf$ {
        add_header Content-Disposition "attachment";
        add_header Cache-Control "public, max-age=86400";
        add_header X-Content-Type-Options "nosniff";
    }

    # Static assets — long cache
    location ~* \.(js|css|woff2?|png|jpg|jpeg|svg|ico|webp)$ {
        expires 30d;
        add_header Cache-Control "public, max-age=2592000, immutable";
    }

    # Gzip
    gzip on;
    gzip_types text/html text/css application/javascript application/json image/svg+xml;
    gzip_min_length 1024;
}