:80 {
  encode zstd gzip

  header {
    X-Content-Type-Options nosniff
    X-Frame-Options DENY
    Referrer-Policy strict-origin-when-cross-origin
    Permissions-Policy "camera=(self), geolocation=(), microphone=()"
    Content-Security-Policy "default-src 'self'; img-src 'self' data: https://images.openfoodfacts.org; connect-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests"
  }

  handle /api/* {
    reverse_proxy backend:8000
  }

  handle {
    reverse_proxy frontend:8080
  }
}