# ============================================================
# Crewli Security Headers — Nginx Configuration
# ============================================================
# Include this file in each server block:
#   include /path/to/deploy/nginx/security-headers.conf;
#
# Three separate CSP policies for API vs SPA vs Portal.
# Adjust connect-src if the API domain changes.
# ============================================================

# --- Shared headers (all server blocks) ---

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

# HSTS: enable after confirming HTTPS works correctly
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;