server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # serve config.json with correct MIME type + CORS for fetch() location = /config.json { add_header Content-Type application/json; add_header Access-Control-Allow-Origin *; } # SPA fallback (not needed for static, but safe to have) location / { try_files $uri $uri/ /index.html; } # Security headers add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy no-referrer-when-downgrade; gzip on; gzip_types text/html text/css application/javascript application/json image/svg+xml; }