# Cloudflare Pages applies these at the edge. Each route inherits the
# union of all matching blocks (later blocks add headers; same header in
# later block overrides earlier).

# Security headers applied to every route.
/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: camera=(), microphone=(), geolocation=(self), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=(), interest-cohort=()
  Content-Security-Policy: default-src 'self'; script-src 'self' blob: https://cdn.jsdelivr.net https://challenges.cloudflare.com https://static.cloudflareinsights.com 'wasm-unsafe-eval'; worker-src 'self' blob:; connect-src 'self' blob: https://cdn.jsdelivr.net https://pub-0429b8e3b5a946e69ea007df844a6f1c.r2.dev https://challenges.cloudflare.com https://extensions.duckdb.org https://*.basemaps.cartocdn.com https://*.tile.opentopomap.org https://services.arcgisonline.com; img-src 'self' blob: data: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org https://services.arcgisonline.com https://*.tile.opentopomap.org https://avatars.githubusercontent.com; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src https://challenges.cloudflare.com; object-src 'none'; base-uri 'self'

# Hashed Vite assets — safe to cache forever.
/assets/*
  Cache-Control: public, max-age=31536000, immutable

# Social cards — short cache so updates propagate within a few hours.
/og-*.png
  Cache-Control: public, max-age=3600

# Catalog data — fresh-ish, but allow stale-while-revalidate so repeat visits feel instant.
# CDN-Cache-Control is required for CF Pages to actually edge-cache JSON;
# without it the response is served as cf-cache-status: DYNAMIC.
/catalog.json
  Cache-Control: public, max-age=300, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=300, stale-while-revalidate=86400

# Sitemap + LLM discovery file — both static, both safe to cache an hour
# at the edge with stale-while-revalidate so submissions / docs changes
# show up within a day at worst.
/sitemap.xml
  Cache-Control: public, max-age=3600, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=3600, stale-while-revalidate=86400
/llms.txt
  Cache-Control: public, max-age=3600, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=3600, stale-while-revalidate=86400

# India boundary overlay — hand-curated GeoJSON from osm-in. Source rarely
# changes; safe to cache for a week with stale-while-revalidate so a future
# boundary update propagates within a day.
/india-boundary.geojson
  Cache-Control: public, max-age=604800, stale-while-revalidate=86400

# Natural Earth world land polygons (1:110m). Changes very rarely — cache
# aggressively. Public domain.
/world-land.geojson
  Cache-Control: public, max-age=604800, stale-while-revalidate=86400

# HTML — edge-cache with stale-while-revalidate. Earlier we had
# max-age=0, must-revalidate which forced every HTML hit to origin.
#
# Cache-Control governs the browser. CDN-Cache-Control is required for
# Cloudflare to actually edge-cache HTML — without it, Pages serves
# HTML as cf-cache-status: DYNAMIC regardless of standard Cache-Control
# (a CF Pages opinion: HTML is treated as dynamic by default).
#
# Policy: browser 1 min, edge 5 min, edge serves stale up to a day
# while async-revalidating. Hourly cron + per-submission rebuild trigger
# means catalog changes propagate within ~5 min worst case. Repeat
# visits get ~30 ms TTFB instead of ~1 s.
/
  Cache-Control: public, max-age=60, s-maxage=300, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=300, stale-while-revalidate=86400
/index.html
  Cache-Control: public, max-age=60, s-maxage=300, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=300, stale-while-revalidate=86400
/about
  Cache-Control: public, max-age=60, s-maxage=300, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=300, stale-while-revalidate=86400
/preview
  Cache-Control: public, max-age=60, s-maxage=300, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=300, stale-while-revalidate=86400
/docs
  Cache-Control: public, max-age=60, s-maxage=300, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=300, stale-while-revalidate=86400
/mcp
  Cache-Control: public, max-age=60, s-maxage=300, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=300, stale-while-revalidate=86400
# Legal pages — edits are rare and can wait a day to propagate.
/privacy
  Cache-Control: public, max-age=300, s-maxage=86400, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=86400, stale-while-revalidate=86400
/terms
  Cache-Control: public, max-age=300, s-maxage=86400, stale-while-revalidate=86400
  CDN-Cache-Control: public, max-age=86400, stale-while-revalidate=86400
