# website
:80 {
	root * /usr/share/caddy
	file_server
	encode zstd gzip

	header {
		# Configure caching
		Cache-Control "public, max-age=3600, must-revalidate" # 1h

		# Enable HSTS with subdomains and preload
		Strict-Transport-Security "max-age=31536000"

		# Prevent clickjacking attacks
		X-Frame-Options "DENY"

		# Disable clients from sniffing the media type
		X-Content-Type-Options "nosniff"

		# Control referrer information
		Referrer-Policy "strict-origin-when-cross-origin"

		# Control browser features and APIs
		Permissions-Policy "geolocation=(), microphone=(), camera=(), fullscreen=(self), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"

		# Set CSP
		# Note: 'unsafe-inline' is needed for reveal.js presentations with inline styles
		# If you want stricter CSP, consider using nonces or hashes for inline styles
		Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; script-src 'self' https://analytics.thetillhoff.de https://cdnjs.cloudflare.com; img-src 'self'; connect-src https://analytics.thetillhoff.de; font-src 'self' https://cdnjs.cloudflare.com;"
	}
}

# Healtchcheck
:8080 {
	respond "I'm healthy!"
}
