# Security Headers for all routes
/*
  # XSS Protection
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block

  # Referrer Policy
  Referrer-Policy: strict-origin-when-cross-origin

  # Permissions Policy
  Permissions-Policy: geolocation=(self), microphone=(), camera=(), payment=()

  # Strict Transport Security (HSTS)
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  # Content Security Policy
  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://www.google-analytics.com https://*.googletagmanager.com; frame-ancestors 'none';

  # Cache Control for static assets
  Cache-Control: public, max-age=31536000, immutable

# Cache Control for HTML
/*.html
  Cache-Control: public, max-age=0, must-revalidate

# Cache Control for service worker
/sw.js
  Cache-Control: public, max-age=0, must-revalidate

# Cache Control for manifest
/manifest.json
  Cache-Control: public, max-age=86400, must-revalidate