diff --git a/nginx.conf b/nginx.conf
index 5561702..543c1f5 100755
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,5 +1,10 @@
 error_log /var/log/nginx/error.log info;
 
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
 # Default HTTP -> HTTPS redirect (keine Änderung)
 server {
     listen 80 default_server;
@@ -61,35 +66,60 @@ server {
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
 
-    # Auth-Request
-    auth_request /nginxauth;
+    # ---- Static assets: keine Auth, damit Browser die .js/.css korrekt erhält ----
+    location ~* \.(?:js|css|png|jpg|jpeg|gif|ico|svg|webp)$ {
+        proxy_pass https://thinkcentre.local:10010;
+        proxy_set_header Host thinkcentre.local;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        # kein proxy_set_header Connection / Upgrade hier
+    }
 
-    location / {
-        proxy_pass https://thinkcentre.local:10010/;
+    # ---- WebSocket-Endpoint (falls z.B. /echo) - auth prüfen ----
+    location /echo {
+        auth_request /nginxauth;
+        proxy_pass https://thinkcentre.local:10010/echo;
 
-        # WebSocket Support
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $connection_upgrade;
 
-        # SSL zum Upstream
         proxy_ssl_server_name on;
-        proxy_ssl_name thinkcentre.local; # proxy_ssl_name abc.server.schooltech.ch;
+        proxy_ssl_name thinkcentre.local;
         proxy_ssl_verify off;
 
-        # Standard Proxy Header
-        proxy_set_header Host thinkcentre.local; # proxy_set_header Host abc.server.schooltech.ch;
+        proxy_set_header Host thinkcentre.local;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+    }
+
+    # ---- Hauptanwendung (HTML, API-Aufrufe aus dem App) - auth prüfen ----
+    location / {
+        auth_request /nginxauth;
+
+        proxy_pass https://thinkcentre.local:10010/;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_ssl_server_name on;
+        proxy_ssl_name thinkcentre.local;
+        proxy_ssl_verify off;
+
+        proxy_set_header Host thinkcentre.local;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header Origin $http_origin;
 
-        # iFrame erlauben
         proxy_hide_header X-Frame-Options;
         add_header X-Frame-Options "ALLOWALL" always;
 
         proxy_hide_header Content-Security-Policy;
-        add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always; # add_header Content-Security-Policy "frame-ancestors *" always;
+        add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
     }
 
     location = /nginxauth {
@@ -101,6 +131,7 @@ server {
 }
 
 
+
 server {
     listen 443 ssl http2;
     server_name xyz.server.schooltech.ch;