Tweaks, fixes, and launch prep

nginx/snippets/cache-rules.conf

@@ -0,0 +1,64 @@
+# Cache and security rules for static site (included by both dev and bio server blocks)
+# Security headers are handled upstream by Traefik
+
+# HTML: no-cache (always revalidate)
+location ~ \.html$ {
+    add_header Cache-Control "no-cache, must-revalidate";
+    expires 0;
+}
+
+# CSS and JavaScript: long cache with immutable (hashed filenames)
+location ~* \.(css|js)$ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    access_log off;
+}
+
+# Images: long cache (30 days)
+location ~* \.(jpg|jpeg|png|gif|webp|avif)$ {
+    add_header Cache-Control "public, max-age=2592000";
+    access_log off;
+}
+
+# SVG images: long cache (30 days)
+location ~* \.svg$ {
+    add_header Cache-Control "public, max-age=2592000";
+    add_header Content-Type image/svg+xml;
+    access_log off;
+}
+
+# Fonts: long cache with immutable
+location ~* \.(woff|woff2|ttf|otf|eot)$ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    access_log off;
+}
+
+# Documents: medium cache (30 days)
+location ~* \.(pdf|doc|docx)$ {
+    add_header Cache-Control "public, max-age=2592000";
+    access_log off;
+}
+
+# robots.txt: short cache (1 day)
+location = /robots.txt {
+    add_header Cache-Control "public, max-age=86400";
+    access_log off;
+}
+
+# favicon: long cache (30 days)
+location = /favicon.svg {
+    add_header Cache-Control "public, max-age=2592000";
+    add_header Content-Type image/svg+xml;
+    access_log off;
+}
+
+# .well-known (security.txt, ACME, etc.)
+location ^~ /.well-known/ {
+    add_header Cache-Control "public, max-age=86400";
+}
+
+# Deny hidden files
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}