/*
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  X-XSS-Protection: 1; mode=block
  X-DNS-Prefetch-Control: on
  Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), layout-animations=(self), legacy-image-formats=(self), magnetometer=(), microphone=(), midi=(), oversized-images=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(self), unoptimized-images=(self), unsized-media=(self), usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  Cross-Origin-Embedder-Policy: require-corp
  Cross-Origin-Opener-Policy: same-origin
  Cross-Origin-Resource-Policy: same-origin
  Timing-Allow-Origin: *
  
  # Content Security Policy - Optimized for Zenith Platform
  # Allows: Self, HF Spaces for Backend, Supabase for DB, Gravatar for avatars
  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https: blob:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://*.hf.space https://*.supabase.co https://*.pages.dev wss://*.hf.space https://cloudflareinsights.com; media-src 'self' https: blob:; object-src 'none'; frame-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;

  # Cloudflare Cache Optimization
  Cloudflare-CDN-Cache-Control: max-age=3600

# Cache static assets for 1 year with immutable flag
/assets/*
  Cache-Control: public, max-age=31536000, immutable
  Cloudflare-CDN-Cache-Control: max-age=31536000, immutable

# Short-lived cache for favicon and manifest
/favicon.ico
  Cache-Control: public, max-age=86400

/manifest.json
  Cache-Control: public, max-age=86400

# HTML/SPA Entry point - No caching to ensure updates are picked up
/index.html
  Cache-Control: no-cache, no-store, must-revalidate
  Cloudflare-CDN-Cache-Control: no-cache, no-store, must-revalidate

# Early Hints - Preconnect to APIs and Fonts
/index.html
  Link: <https://teoat-zenith-backend.hf.space>; rel=preconnect
  Link: <https://fonts.googleapis.com>; rel=preconnect
  Link: <https://fonts.gstatic.com>; rel=preconnect