nginx.conf

worker_processes 1;
daemon off;

error_log /home/vcap/app/nginx/logs/error.log;
events { worker_connections 1024; }

http {
  charset utf-8;
  log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
  access_log /home/vcap/app/nginx/logs/access.log cloudfoundry;
  default_type application/octet-stream;
  include mime.types;
  sendfile on;
  limit_req_zone $binary_remote_addr zone=dm_limit:10m rate=3r/s;

  gzip on;
  gzip_disable "msie6";
  gzip_comp_level 6;
  gzip_min_length 1100;
  gzip_buffers 16 8k;
  gzip_proxied any;
  gunzip on;
  gzip_static always;
  gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/xml+rss;
  gzip_vary on;

  tcp_nopush on;
  keepalive_timeout 30;
  port_in_redirect off; # Ensure that redirects don't include the internal container PORT - 8080
  server_tokens off;

  server {
    listen 8080;
    server_name localhost;

    root /home/vcap/app/public;

    
      
    


    location / {
      

        index index.html index.htm Default.htm;
        try_files $uri $uri/ /index.html;
        
        limit_req zone=dm_limit burst=20;
        limit_req zone=dm_post_limit burst=5;

      
      

      

      
        include includes/*.conf;
      
      
        error_page 404 /index.html;
      
    }
    location ~ .html$ {
      add_header Cache-Control no-cache;
    }
    
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header Referrer-Policy "strict-origin";
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'self' *.crowncommercial.gov.uk *.rollbar.com; font-src *;img-src * data:; script-src *;style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com";


      location ~ /\. {
        deny all;
        return 404;
      }
    
  }
}