server {
    listen 8080 default_server;
    listen [::]:8080 default_server;

    root /var/www;
    index index.php index.html index.htm;

    location / {
        # no-transform tells Cloudflare and others to not change the content of
        # the file and thus breaking SRI.
        # https://developers.cloudflare.com/cache/about/cache-control#other
        add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform";
        add_header Cross-Origin-Embedder-Policy require-corp;
        # disabled, because it prevents links from a paste to the same site to
        # be opened. Didn't work with `same-origin-allow-popups` either.
        # See issue #109 for details.
        #add_header Cross-Origin-Opener-Policy same-origin;
        add_header Cross-Origin-Resource-Policy same-origin;
        add_header Referrer-Policy no-referrer;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options deny;
        add_header X-XSS-Protection "1; mode=block";
        
        # Uncomment to enable HSTS
        # https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        include /etc/nginx/location.d/*.conf;
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        include /etc/nginx/location.d/*.conf;
        fastcgi_pass unix:/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;

        # Prevent exposing nginx + version to $_SERVER
        fastcgi_param SERVER_SOFTWARE "";
    }

    include /etc/nginx/server.d/*.conf;
}