server {
    listen 80;
    server_name localhost;
    root /var/www/html/public;
    index index.php;

    # Prevent browsers from MIME-sniffing a response away from the declared type
    add_header X-Content-Type-Options "nosniff" always;
    # Block the page from being loaded inside an iframe (prevents clickjacking)
    add_header X-Frame-Options "DENY" always;
    # Only allow resources from the same origin — inline styles are needed for
    # GD-generated image previews, media-src blob: for webcam capture
    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; media-src 'self' blob:;" always;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /uploads/ {
        alias /var/www/html/uploads/;
    }

    location ~ \.php$ {
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\. {
        deny all;
    }
}