# HTTP site: redirect everything to HTTPS
http://localhost {
    redir https://{host}{uri} permanent
}

# HTTPS site
https://localhost {
    reverse_proxy web:80
    tls internal

    # Optional: security headers (defense-in-depth)
    header {
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "no-referrer"
    }
}