:8080 {
    # Serve from dist directory
    root * dist
    file_server

    # Enable Gzip compression (Brotli requires custom Caddy build)
    encode gzip

    # Cache static assets aggressively
    @static {
        path *.wasm *.js *.css *.png *.jpg *.jpeg *.gif *.svg *.ico *.woff *.woff2
    }
    header @static Cache-Control "public, max-age=31536000, immutable"

    # Cache HTML with shorter duration
    @html {
        path *.html /
    }
    header @html Cache-Control "public, max-age=3600"

    # Security headers
    header {
        # Enable HTTPS redirect in production
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        
        # Prevent XSS attacks
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        
        # Content Security Policy for WASM
        Content-Security-Policy "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; font-src 'self' https://cdn.jsdelivr.net; connect-src *; img-src 'self' data: https:;"
        
        # Referrer policy
        Referrer-Policy "strict-origin-when-cross-origin"
    }

    # WASM MIME type
    @wasm {
        path *.wasm
    }
    header @wasm Content-Type "application/wasm"

    # Handle SPA routing - serve index.html for non-file requests
    try_files {path} /index.html

    # Logging
    log {
        output stdout
        format console
    }
}