{$DOMAIN} { # TLS — use Let's Encrypt staging for initial testing tls {$TLS_EMAIL} { ca https://acme-staging-v02.api.letsencrypt.org/directory } # Security headers header { Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https://image.tmdb.org; connect-src 'self' wss://{$DOMAIN}; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'" X-Frame-Options "DENY" X-Content-Type-Options "nosniff" Referrer-Policy "strict-origin-when-cross-origin" Strict-Transport-Security "max-age=86400; includeSubDomains" Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" -Server } # Reverse proxy to Next.js app reverse_proxy app:3000 }