fix: nginx routing, security headers, CORS

nginx.conf

@@ -14,7 +14,25 @@ server {
     ssl_certificate /etc/letsencrypt/live/pillchecker.duckdns.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/pillchecker.duckdns.org/privkey.pem;
 
-    # API routes → FastAPI backend
+    # Hide nginx version
+    server_tokens off;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+
+    # CORS headers (for Swagger UI and future web clients)
+    add_header Access-Control-Allow-Origin "*" always;
+    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "Content-Type, X-API-Key" always;
+
+    # CORS preflight
+    if ($request_method = 'OPTIONS') {
+        return 204;
+    }
+
+    # Rate-limited API routes
     location /analyze {
         limit_req zone=api burst=5 nodelay;
         proxy_pass http://api:8000;
@@ -33,16 +51,12 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    location /health {
+    # All other routes → FastAPI (health, docs, admin, openapi.json, redoc)
+    location / {
         proxy_pass http://api:8000;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
     }
-
-    # Catch-all: return 404 for unknown routes (API-only, no frontend)
-    location / {
-        return 404;
-    }
 }