# Cloudflare Pages headers — mirrors nginx.conf for the Docker deploy.
# Format: https://developers.cloudflare.com/pages/configuration/headers/

# Default headers applied to every path
/*
  Cross-Origin-Opener-Policy: same-origin
  Cross-Origin-Embedder-Policy: require-corp
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: no-referrer
  Content-Security-Policy: default-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; worker-src 'self' blob:; manifest-src 'self'; base-uri 'none'; frame-ancestors 'none'

# Hashed assets are content-addressed; cache aggressively
/assets/*
  Cache-Control: public, immutable, max-age=31536000

# Service worker must always be fresh so updates roll out
/sw.js
  Cache-Control: no-store, no-cache, must-revalidate
