# nginx.conf worker_processes auto; user nginx; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; client_max_body_size 50m; sendfile on; keepalive_timeout 65; server { listen 80; server_name _; # ------------------------- # React frontend # ------------------------- root /usr/share/nginx/html; index index.html; location / { try_files $uri /index.html; } # # ------------------------- # # Django backend API # # ------------------------- # # Serve Django static and media volumes mounted into the container # location /static/ { # alias /app/collectedstaticfiles/; # } # location /media/ { # alias /app/media/; # } # # Same-origin proxy for API -> avoids CORS and allows cookies # location /api { # return 301 /api/; # } # location /api/ { # proxy_pass http://backend:8000; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_http_version 1.1; # proxy_set_header Connection ""; # proxy_buffering off; # client_max_body_size 50m; # } # ------------------------- # Security headers # ------------------------- add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Referrer-Policy "strict-origin-when-cross-origin"; # Minimal, valid CSP for development add_header Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.google.com https://*.google.com https://*.google.cz; frame-ancestors 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; connect-src 'self' http://127.0.0.1:8000 http://localhost:8000 ws: wss:; font-src 'self' data:"; } }