# Listening on
0.0.0.0

# Set the document root of the site.
root /srv/app/www

# Compress the transmitted data
gzip

# Set the path to the php-fpm process.
fastcgi / 127.0.0.1:9000 php

# Main rewrite to route non-existent files to index.php file.
rewrite {
  if {file} not favicon.ico
  to {path} {path}/ /index.php?{path}&{query}
}

header / {
  # Don't show Caddy/Gunicorn as server header.
  -Server

  # Enable HTTP Strict Transport Security (HSTS) to force clients to always
  # connect via HTTPS (do not use if only testing)
  Strict-Transport-Security "max-age=31536000;"

  # Enable cross-site filter (XSS) and tell browser to block detected attacks
  X-XSS-Protection "1; mode=block"

  # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
  X-Content-Type-Options "nosniff"

  # Disallow the site to be rendered within a frame (clickjacking protection)
  X-Frame-Options "DENY"
}

log stdout
errors stdout
on startup php-fpm --nodaemonize
