# Security headers for all pages
/*
  Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://static.cloudflareinsights.com; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://static.cloudflareinsights.com; connect-src 'self' https://cloudflareinsights.com
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Content-Type-Options: nosniff
  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: same-origin
  Permissions-Policy: camera=(), microphone=(), geolocation=()
  Cache-Control: public, max-age=3600, stale-while-revalidate=86400

# Long cache for images (31 days, immutable)
/images/*
  Cache-Control: public, max-age=2678400, immutable

# RSS feed headers
/rss.xml
  Content-Type: application/rss+xml; charset=utf-8
  Cache-Control: public, max-age=3600, stale-while-revalidate=86400

# JSON feed headers
/feed.json
  Content-Type: application/feed+json; charset=utf-8
  Cache-Control: public, max-age=3600, stale-while-revalidate=86400