:{$PORT:5000} {
    root * /usr/share/caddy

    header {
        Content-Security-Policy "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https: http: ws: wss:; worker-src 'self' blob:"
    }

    @staticAssets {
        path *.js *.wasm *.woff *.woff2 *.ttf *.otf
    }
    header @staticAssets Cache-Control "public, max-age=86400"

    @hashedAssets {
        path_regexp hashedAssets .*[._-][0-9a-fA-F]{8,}\.(js|css|wasm|woff2?|ttf|otf)$
    }
    header @hashedAssets Cache-Control "public, max-age=31536000, immutable"

    @serviceWorker path /flutter_service_worker.js /version.json
    header @serviceWorker Cache-Control "no-cache, must-revalidate"

    @index path / /index.html
    header @index Cache-Control "public, max-age=300, must-revalidate"

    # Proxy API calls to backend service on the internal Docker network.
    handle /api/* {
        reverse_proxy recipe-api:8080
    }

    # SPA-routing – returnera alltid index.html för okända paths
    handle {
        try_files {path} /index.html
        file_server
    }

    encode gzip
}