server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name _;

    root /var/www/html;
    index index.html index.htm;

    # Headers de securite
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

    # Rate limiting (burst de 20 requetes autorise)
    limit_req zone=general burst=20 nodelay;

    location / {
        try_files $uri $uri/ =404;
    }

    # Desactiver l'acces aux fichiers caches
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Cache pour les fichiers statiques
    # Note: on utilise uniquement "expires" ici pour ne pas ecraser
    # les headers de securite du bloc server (comportement add_header de nginx)
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|txt|woff|woff2|ttf|svg)$ {
        expires 7d;
    }

    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /var/www/html;
    }
}