server { listen 80; listen [::]:80; server_name localhost; root /usr/share/nginx/html; index index.html; # Security headers # Content Security Policy (CSP) - Protection contre XSS add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; require-trusted-types-for 'script';" always; # HTTP Strict Transport Security (HSTS) - Force HTTPS add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; # Cross-Origin-Opener-Policy (COOP) - Isolation de l'origine add_header Cross-Origin-Opener-Policy "same-origin" always; # Cross-Origin-Resource-Policy (CORP) add_header Cross-Origin-Resource-Policy "same-origin" always; # Cross-Origin-Embedder-Policy (COEP) add_header Cross-Origin-Embedder-Policy "require-corp" always; # Protection contre le clickjacking add_header X-Frame-Options "DENY" always; # Protection contre le MIME type sniffing add_header X-Content-Type-Options "nosniff" always; # Protection XSS (legacy) add_header X-XSS-Protection "1; mode=block" always; # Referrer Policy - Contrôle des informations envoyées add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Permissions Policy - Contrôle des fonctionnalités du navigateur add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()" always; # Gzip compression gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_min_length 256; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml application/wasm; # Brotli compression (si supporté par nginx) # brotli on; # brotli_comp_level 6; # brotli_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml; # Cache static assets - Images WebP location ~* \.(webp)$ { expires 1y; add_header Cache-Control "public, immutable"; add_header Vary "Accept-Encoding"; } # Cache static assets - Images location ~* \.(jpg|jpeg|png|gif|ico|svg)$ { expires 1y; add_header Cache-Control "public, immutable"; add_header Vary "Accept-Encoding"; } # Cache static assets - CSS/JS avec hash (versionnés) location ~* \.(css|js)$ { expires 1y; add_header Cache-Control "public, immutable"; add_header Vary "Accept-Encoding"; } # Cache static assets - Fonts location ~* \.(woff|woff2|ttf|otf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; add_header Access-Control-Allow-Origin "*"; } # SPA fallback - toutes les routes vers index.html location / { try_files $uri $uri/ /index.html; # HTTP/2 Server Push pour les ressources critiques (si supporté) # http2_push /assets/css/index.css; # http2_push /assets/js/index.js; } # Disable cache for index.html location = /index.html { add_header Cache-Control "no-cache, no-store, must-revalidate" always; add_header Pragma "no-cache" always; add_header Expires "0" always; # Ajout de Link headers pour preconnect add_header Link "; rel=preconnect" always; add_header Link "; rel=preconnect; crossorigin" always; } # Disable cache for service worker if you add one later location = /service-worker.js { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; add_header Expires "0"; } # Error pages error_page 404 /index.html; # Optimisation supplémentaire tcp_nopush on; tcp_nodelay on; sendfile on; keepalive_timeout 65; }