location / {

  # Path to source
  alias __INSTALL_DIR__/sources/web/;

  index index.php;

  client_max_body_size 500M;

  try_files $uri $uri/ index.php;

  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;

    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param REMOTE_USER $remote_user;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param SCRIPT_FILENAME $request_filename;
  }

  # security headers
  more_set_headers "Strict-Transport-Security: max-age=63072000";
  more_set_headers "X-XSS-Protection: 0";
  more_set_headers "X-Content-Type-Options: nosniff";
  more_set_headers "Content-Security-Policy: default-src 'self' data:; script-src 'self'; connect-src 'self' blob: https://get.elabftw.net; img-src 'self' data: blob: https://www.cornify.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'self'; base-uri 'none'; frame-ancestors 'none'";
  more_set_headers "Referrer-Policy: no-referrer";
  more_set_headers "Feature-Policy: autoplay 'none'; camera 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none'";
  more_set_headers "Vary: Accept-Encoding";
}