/*
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  X-XSS-Protection: 1; mode=block
  Permissions-Policy: camera=(), microphone=(), geolocation=()

# OAuth specific headers
/oauth/*
  Access-Control-Allow-Origin: https://bsky.social
  Access-Control-Allow-Methods: GET, POST, OPTIONS
  Access-Control-Allow-Headers: Content-Type, Authorization

# Static assets caching
/assets/*
  Cache-Control: public, max-age=31536000, immutable

/css/*
  Content-Type: text/css
  Cache-Control: public, max-age=60

/*.js
  Content-Type: application/javascript
  Cache-Control: public, max-age=31536000, immutable

/assets/*.js
  Content-Type: application/javascript
  Cache-Control: public, max-age=31536000, immutable

# Ensure ES6 modules are served correctly
/assets/comment-atproto-*.js
  Content-Type: text/javascript; charset=utf-8
  Cache-Control: public, max-age=31536000, immutable

# All JS assets
/assets/*-*.js
  Content-Type: text/javascript; charset=utf-8
  Cache-Control: public, max-age=31536000, immutable

# CSS assets
/assets/*.css
  Content-Type: text/css
  Cache-Control: public, max-age=60

/posts/*
  Cache-Control: public, max-age=3600

# Client metadata for OAuth
/client-metadata.json
  Content-Type: application/json
  Cache-Control: public, max-age=3600