Add explicit MIME types and caching for static assets

Improve asset handling with:
- Path traversal protection
- Explicit MIME type mapping
- Configurable caching headers
- Case-insensitive extension matching

app/router.php

@@ -17,10 +17,30 @@ $ctx = createContext();
 $GLOBALS['ctx'] = $ctx;
 
 // Check for assets in /custom/assets/ served at root level
-$assetPath = dirname(__DIR__) . '/custom/assets/' . $ctx->requestPath;
-if (file_exists($assetPath) && is_file($assetPath)) {
-    header('Content-Type: ' . (mime_content_type($assetPath) ?: 'application/octet-stream'));
-    readfile($assetPath);
+$assetsDir = realpath(dirname(__DIR__) . '/custom/assets');
+$realAsset = realpath($assetsDir . '/' . $ctx->requestPath);
+if ($realAsset && strncmp($realAsset, $assetsDir . '/', strlen($assetsDir) + 1) === 0 && is_file($realAsset)) {
+    $assetMimeTypes = [
+        'css'     => 'text/css',
+        'js'      => 'application/javascript',
+        'json'    => 'application/json',
+        'geojson' => 'application/json',
+        'svg'     => 'image/svg+xml',
+        'woff'    => 'font/woff',
+        'woff2'   => 'font/woff2',
+        'ttf'     => 'font/ttf',
+        'otf'     => 'font/otf',
+        'png'     => 'image/png',
+        'jpg'     => 'image/jpeg',
+        'jpeg'    => 'image/jpeg',
+        'webp'    => 'image/webp',
+    ];
+    $assetExt = strtolower(pathinfo($realAsset, PATHINFO_EXTENSION));
+    $mime = $assetMimeTypes[$assetExt] ?? 'application/octet-stream';
+    $cacheSeconds = in_array($assetExt, ['json', 'geojson']) ? 60 : 31536000;
+    header('Content-Type: ' . $mime);
+    header('Cache-Control: public, max-age=' . $cacheSeconds);
+    readfile($realAsset);
     exit;
 }