_headers

# Security and Performance Headers
# https://docs.netlify.com/routing/headers/

/*
  # Security Headers
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()
  
  # Content Security Policy - Strict CSP with nonce fallback
  # Note: 'unsafe-inline' required for inline styles/scripts on static site without build step
  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https: data:; font-src 'self'; connect-src 'self' https://cloud.iexapis.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;
  
  # Modern Security
  Cross-Origin-Embedder-Policy: require-corp
  Cross-Origin-Opener-Policy: same-origin
  Cross-Origin-Resource-Policy: same-origin
  
  # Cache Control
  Cache-Control: public, max-age=3600, must-revalidate

# Service Worker - no cache
/sw.js
  Cache-Control: public, max-age=0, must-revalidate

# Static assets - long cache
/*.css
  Cache-Control: public, max-age=31536000, immutable

/*.js
  Cache-Control: public, max-age=31536000, immutable

/*.png
  Cache-Control: public, max-age=31536000, immutable

/*.jpg
  Cache-Control: public, max-age=31536000, immutable

/*.ico
  Cache-Control: public, max-age=31536000, immutable

/*.svg
  Cache-Control: public, max-age=31536000, immutable

/*.webp
  Cache-Control: public, max-age=31536000, immutable

# Web App Manifest
/site.webmanifest
  Cache-Control: public, max-age=604800
  Content-Type: application/manifest+json

# Security files
/.well-known/*
  Cache-Control: public, max-age=3600

/humans.txt
  Cache-Control: public, max-age=86400

/robots.txt
  Cache-Control: public, max-age=86400

/sitemap.xml
  Cache-Control: public, max-age=3600