# Redirect www → apex (Caddy auto-provisions TLS for both)
www.finlet.dev {
    redir https://finlet.dev{uri} permanent
}

finlet.dev {
    reverse_proxy localhost:8000

    encode gzip zstd

    # Security headers (CSP, X-Frame-Options, etc.) are set by
    # SecurityHeadersMiddleware in finlet/api/security_middleware.py.
    # Only HSTS is set here since Caddy handles TLS termination.
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    }

    log {
        output file /var/log/caddy/finlet-access.log
        format json
    }
}
