{
  # fly.io handles HTTPS for us
  auto_https off
}

http://static-mat-services.fly.dev/ {
  redir https://mat.services/
}

:8080 {
  root * /var/www
  encode gzip
  file_server

  handle_errors {
    @404 {
      expression {http.error.status_code} == 404
    }
    rewrite @404 /404.html
    file_server
  }

  header {
    # disable FLoC tracking
    Permissions-Policy interest-cohort=()
    # enable HSTS
    # currently ramping up max-age as per https://hstspreload.org/
    Strict-Transport-Security max-age=300; includeSubDomains
    # disable clients from sniffing the media type
    X-Content-Type-Options nosniff
    # clickjacking protection
    X-Frame-Options DENY
    # keep referrer data off of HTTP connections
    Referrer-Policy strict-origin-when-cross-origin
    # content security policy
    Content-Security-Policy "default-src 'none';
      img-src 'self';
      style-src 'self' https://cdn.jsdelivr.net/;
      font-src 'self' https://cdn.jsdelivr.net/;
      frame-ancestors 'none';
      base-uri 'none';
      upgrade-insecure-requests;
      sandbox allow-same-origin"
  }
}