diff --git a/roles/nextcloud/files/Caddyfile b/roles/nextcloud/files/Caddyfile
index 8a86c1c..a54f3f5 100644
--- a/roles/nextcloud/files/Caddyfile
+++ b/roles/nextcloud/files/Caddyfile
@@ -1,16 +1,34 @@
-:80 {
-	root * /var/www/html
-	file_server
+{
+    servers {
+        trusted_proxies static 10.0.0.0/8
+    }
+}
+
+:80 {
+    encode zstd gzip
+	root * /var/www/html
 
-	php_fastcgi app:9000
 	header {
 		# enable HSTS
 		Strict-Transport-Security max-age=31536000;
+		Permissions-Policy interest-cohort=()
+		X-Content-Type-Options nosniff
+		X-Frame-Options SAMEORIGIN
+		Referrer-Policy no-referrer
+		X-XSS-Protection "1; mode=block"
+		X-Permitted-Cross-Domain-Policies none
+		X-Robots-Tag "noindex, nofollow"
+		-X-Powered-By
 	}
 
 	redir /.well-known/carddav /remote.php/dav 301
 	redir /.well-known/caldav /remote.php/dav 301
 
+    # Uncomment this block if you use the high speed files backend: https://github.com/nextcloud/notify_push
+	#handle_path /push/* {
+	#	reverse_proxy unix//run/notify_push/notify_push.sock # I love Unix sockets, but you can do :7867 also
+	#}
+
 	# .htaccess / data / config / ... shouldn't be accessible from outside
 	@forbidden {
 		path /.htaccess
@@ -25,8 +43,36 @@
 		path /occ
 		path /console.php
 	}
+	handle @forbidden {
+	        respond 404
+	}
 
-	respond @forbidden 404
+    handle {
+        root * /var/www/html
+	    php_fastcgi app:9000 {
+            # Tells nextcloud to remove /index.php from URLs in links
+			env front_controller_active true
+			env modHeadersAvailable true # Avoid sending the security headers twice
+	    }
+    }
 
+	# From .htaccess, set cache for versioned static files (cache-busting)
+	@immutable {
+		path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+		query v=*
+	}
+	header @immutable Cache-Control "max-age=15778463, immutable"
+
+	# From .htaccess, set cache for normal static files
+	@static {
+		path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+		not query v=*
+	}
+	header @static Cache-Control "max-age=15778463"
+
+	# From .htaccess, cache fonts for 1 week
+	@woff2 path *.woff2
+	header @woff2 Cache-Control "max-age=604800"
+
+	file_server
 }
-