# Security Headers Configuration
# Custom PHP Framework - {{ environment | upper }}

# Security Headers
{% for header, value in security_headers.items() %}
add_header {{ header }} "{{ value }}" always;
{% endfor %}

# HSTS (HTTP Strict Transport Security)
{% if hsts_enabled %}
add_header Strict-Transport-Security "max-age={{ hsts_max_age }}{% if hsts_include_subdomains %}; includeSubDomains{% endif %}{% if hsts_preload %}; preload{% endif %}" always;
{% endif %}

# Additional Security Measures
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" always;

# Server Information Hiding
more_clear_headers 'Server';
more_set_headers 'Server: Custom-Framework/{{ environment }}';

# Prevent clickjacking for admin areas
location /admin {
    add_header X-Frame-Options "DENY" always;
}

# Additional security for API endpoints
location /api {
    # Rate limiting is handled in separate config
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
}

# Disable access to sensitive files
location ~* \.(env|git|gitignore|gitattributes|htaccess|htpasswd|ini|log|sh|sql|conf)$ {
    deny all;
    return 404;
}

# Prevent access to hidden files and directories
location ~ /\. {
    deny all;
    return 404;
}

# Block access to backup and temporary files
location ~* \.(bak|backup|swp|tmp|temp|~)$ {
    deny all;
    return 404;
}