:80 {
	# Serve static files from /srv
	root * /srv

	# Enable file browsing for static assets
	file_server

	# Security headers
	header {
		X-Frame-Options "SAMEORIGIN"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "no-referrer-when-downgrade"
		Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
	}

	# Cache static assets with long expiry
	@static {
		path *.jpg *.jpeg *.png *.gif *.ico *.css *.js *.svg *.woff *.woff2 *.ttf *.eot
	}
	header @static {
		Cache-Control "public, max-age=31536000, immutable"
	}

	# API proxy to backend (handled by caddy-docker-proxy)
	# This is just for documentation - the actual proxying is done by labels

	# SPA fallback - try file, then directory, then fallback to index.html
	try_files {path} {path}/ /index.html

	# Health check endpoint
	respond /health 200 {
		body "healthy"
		close
	}

	# Compression
	encode {
		gzip
		minimum_length 1024
	}

	# Logging
	log {
		output stdout
		format json
	}
}