astro-website/deploy/nginx.conf

server {
  listen 80;
  server_name _;

  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_min_length 1024;
  gzip_types text/plain text/css text/javascript application/javascript application/json application/xml application/rss+xml image/svg+xml;

  root /usr/share/nginx/html;
  index index.html;

  # Custom error pages
  error_page 404 /404.html;
  error_page 500 502 503 504 /500.html;

  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.instagram.com https://*.instagram.com https://cloud.umami.is https://*.umami.is https://wa.santhoshj.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' https: data: blob:; media-src 'self' https://anchor.fm https://*.anchor.fm https://d3ctxlq1ktw2nl.cloudfront.net; connect-src 'self' https://cloud.umami.is https://*.umami.is https://wa.santhoshj.com; frame-src https://www.youtube.com https://open.spotify.com https://www.instagram.com https://*.instagram.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Frame-Options "DENY" always;
  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
  add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

  # Static assets
  location = /sw.js {
    add_header Cache-Control "no-cache, no-store, must-revalidate" always;
    try_files $uri =404;
  }

  location ~* \.(?:avif|bmp|gif|ico|jpe?g|png|svg|webp|)$ {
    expires 180d;
    add_header Cache-Control "public, max-age=15552000" always;
    try_files $uri =404;
  }

  # Ensure error pages are served without redirect
  location = /404.html {
    internal;
  }

  location = /500.html {
    internal;
  }

  location / {
    try_files $uri $uri/index.html $uri/ =404;
  }
}