# Cloudflare Pages headers. Applied at the edge — no app code involved.
# Docs: https://developers.cloudflare.com/pages/configuration/headers/

# Hashed build assets never change for a given URL — cache them forever.
/assets/*
  Cache-Control: public, max-age=31536000, immutable

# The HTML shell must always revalidate so a new deploy is picked up instantly.
/index.html
  Cache-Control: no-cache

# Sensible, non-breaking security headers for the whole site.
# (No Content-Security-Policy on purpose: the app fetches user-chosen LLM
#  endpoints and renders arbitrary user media URLs, so a strict CSP would
#  fight the local-first/BYOK design. Add a tailored connect-src/img-src CSP
#  later if you lock down which providers are allowed.)
/*
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  X-Frame-Options: SAMEORIGIN
  Permissions-Policy: geolocation=(), microphone=(), camera=()
