server {
    listen 80;
    server_name localhost;

    root /usr/share/nginx/html;
    index index.html;

    # Otimização de entrega de ficheiros e caching
    location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2?|eot|ttf|svg)$ {
        expires 6M;
        access_log off;
        add_header Cache-Control "public, max-age=15552000, immutable";
    }

    # Redirecionamento SPA (Vue/React)
    location / {
        try_files $uri $uri/ /index.html;
        
        # Security Headers (Hardened)
        add_header X-Frame-Options "DENY" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header Permissions-Policy "camera=(), microphone=(), geolocations=(), payment=(self 'https://js.stripe.com')" always;
        
        # CSP Header
        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.supabase.co https://js.stripe.com https://unpkg.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com; img-src 'self' data: blob: https://*.supabase.co https://*.tile.openstreetmap.org https://*.googleusercontent.com; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.supabase.co https://generativelanguage.googleapis.com https://api.resend.com; frame-src 'self' https://js.stripe.com; worker-src 'self' blob:;" always;
    }

    # Bloquear acessos indesejados (Dotfiles, pastas escondidas)
    location ~ /\. {
        deny all;
    }

    # Health Check Endpoint
    location /health {
        access_log off;
        return 200 "healthy\n";
    }
}