server {
    listen 8080;
    root /var/www/html;
    index router.php;

    # CORS (including OPTIONS preflight) is handled entirely in _bootstrap.php so every
    # endpoint gets identical headers from one source. Do not add CORS headers here too —
    # nginx-level add_header directives stack with PHP's header() calls instead of replacing
    # them, producing duplicate/conflicting Access-Control-* headers that real browsers
    # reject outright (surfaces in the frontend as a generic "Failed to fetch").

    location / {
        try_files $uri $uri/ @php;
    }

    location @php {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index router.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME /var/www/html/router.php;
        fastcgi_param REQUEST_URI $request_uri;
    }

    location ~ \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index router.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Security: deny access to sensitive files
    location ~ /\.(ht|git|env) {
        deny all;
    }
}