:8080 {
    root * .
    file_server
    encode gzip

    # Performance optimizations
    header {
        # Remove default Caddy headers
        -Server
        -X-Powered-By
        
        # HSTS
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        
        # Basic security headers
        X-Frame-Options "DENY"
        X-Content-Type-Options "nosniff"
        Referrer-Policy "strict-origin-when-cross-origin"
        
        # Permissions policy
        Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
        
        # Cross-origin isolation headers
        Cross-Origin-Embedder-Policy "require-corp"
        Cross-Origin-Resource-Policy "same-origin"
        Cross-Origin-Opener-Policy "same-origin"
        
        # Cache control for static assets
        Cache-Control "public, max-age=31536000, immutable"
        
        # CSP with hashes for scripts and styles
        Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-ryQsJ+aghKKD/CeXgx8jtsnZT3Epp3EjIw8RyHIq544=' 'sha256-anTkUs/oFZJulKUMaMjZlwaALEmPOP8op0psAo5Bhh8='; style-src 'self' 'sha256-Mo+7o3oPEKpX7fqRvTtunvQHlIDhJ0SxAMG1PCNniCI='; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none';"
    }

    # Handle 404s
    handle_errors {
        respond "{err.status_code} {err.status_text}"
    }

    # Logging
    log {
        output stdout
        format json
    }

    # Enable static file serving with caching
    file_server {
        precompressed
        browse
    }
}