tron/docker/nginx.conf

server {
    listen 80;
    server_name _;

    root /usr/share/nginx/html;
    index index.html;

    # === Security headers ===
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; script-src 'self' 'unsafe-inline'; connect-src 'self' https://apilist.tronscan.org https://api.coingecko.com https://api.frankfurter.dev;" always;

    # === Compression ===
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_min_length 256;
    gzip_types
        text/plain
        text/css
        text/javascript
        application/javascript
        application/json
        application/xml
        image/svg+xml;

    # === Static asset caching (1 year — hashed filenames) ===
    location ~* \.(?:css|js)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # === Media & font caching (1 week) ===
    location ~* \.(?:png|jpg|jpeg|gif|ico|svg|webp|woff2?|ttf|otf)$ {
        expires 7d;
        add_header Cache-Control "public";
        access_log off;
    }

    # === SEO files (1 hour) ===
    location ~* ^/(?:robots\.txt|sitemap\.xml|manifest\.json)$ {
        expires 1h;
        add_header Cache-Control "public";
        access_log off;
    }

    # === SPA fallback — serve index.html for any unmatched route ===
    location / {
        try_files $uri $uri/ /index.html;
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header Pragma "no-cache";
        add_header Expires "0";
    }

    # === Health endpoint ===
    location = /health {
        access_log off;
        return 200 "OK\n";
        add_header Content-Type text/plain;
    }

    # === Block dot-files (except .well-known) ===
    location ~ /\.(?!well-known).* {
        deny all;
        access_log off;
        log_not_found off;
    }
}