server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /app;
    index index.php index.html index.htm;

    server_name _;

    # Hide NGINX version to reduce exposed information
    server_tokens off;

    # NGINX-specific security configurations
    
    # Limit upload size to prevent denial of service attacks
    client_max_body_size 10M;
    client_body_buffer_size 128k;

    # Disable directory listing to prevent structure exposure
    autoindex off;

    # Block access to sensitive directories
    location ~ ^/(logs|cache|inc|data|cli|bin|languages|vendor)/ {
        deny all;
        return 403;
    }

    # All requests go through index.php for FastRoute routing
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        if ($uri ~ ^/p/) {
            rewrite ^/p/(.*)$ /index.php?url=$1 last;
        }
		if ($uri ~ ^/api/) {
            rewrite ^/api/(.*)$ /index.php?url=$1 last;
        }
        include snippets/fastcgi-php.conf;
        fastcgi_pass 127.0.0.1:9000;
        
        # Hide header that reveals PHP version
        fastcgi_hide_header X-Powered-By;
    }

    # Block access to hidden files and directories
    location ~ /\. {
        deny all;
        return 404;
    }

    # Block access to configuration and database files
    location ~ \.(sql|conf|ini)$ {
        deny all;
        return 404;
    }

    # Minimize logs to reduce information exposure
    access_log /dev/null;
    error_log /dev/stderr warn;
}