# Remplacer par votre domaine réel
# En dev local, utiliser: localhost:443

your-domain.com {
	reverse_proxy app:3000

	header {
		Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Referrer-Policy "strict-origin-when-cross-origin"
		Permissions-Policy "camera=(), microphone=(), geolocation=()"
		-Server
	}

	encode gzip zstd

	log {
		output file /var/log/caddy/access.log {
			roll_size 10mb
			roll_keep 5
		}
	}
}