diff --git a/data-api.js b/data-api.js
index 2d526c8..c5265cf 100644
--- a/data-api.js
+++ b/data-api.js
@@ -19,6 +19,37 @@ const port = process.env.PORT || 3000;
 const DATA_DIR = process.env.DATA_DIR || '/data';
 const DATA_FILE = path.join(DATA_DIR, 'weight-tracker-data.json');
 
+// Print data file path for debugging
+console.log(`[STARTUP] Data directory: ${DATA_DIR}`);
+console.log(`[STARTUP] Data file path: ${DATA_FILE}`);
+
+// List files in data directory if it exists
+if (fs.existsSync(DATA_DIR)) {
+  try {
+    const files = fs.readdirSync(DATA_DIR);
+    console.log(`[STARTUP] Files in ${DATA_DIR}:`, files);
+    
+    // If data file exists, log its size and content preview
+    if (fs.existsSync(DATA_FILE)) {
+      const stats = fs.statSync(DATA_FILE);
+      console.log(`[STARTUP] Data file exists: ${DATA_FILE}, size: ${stats.size} bytes`);
+      
+      if (stats.size > 0) {
+        const preview = fs.readFileSync(DATA_FILE, 'utf8').substring(0, 200);
+        console.log(`[STARTUP] Data file content preview: ${preview}...`);
+      } else {
+        console.log(`[STARTUP] Data file is empty`);
+      }
+    } else {
+      console.log(`[STARTUP] Data file does not exist: ${DATA_FILE}`);
+    }
+  } catch (error) {
+    console.error(`[STARTUP] Error reading data directory: ${error.message}`);
+  }
+} else {
+  console.log(`[STARTUP] Data directory does not exist: ${DATA_DIR}`);
+}
+
 // Middleware
 app.use(cors());
 app.use(bodyParser.json({ limit: '5mb' }));
diff --git a/docker-compose.yml b/docker-compose.yml
index c9895ed..d31438d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,6 +14,8 @@ services:
     networks:
       - weight-tracker-network
     environment:
+      # Data file location - make sure this is correct
+      - DATA_DIR=/data
       # Authentication Configuration
       - PASSWORD_HASH=${PASSWORD_HASH:-$2a$10$EgxHKjDDFcZKtQY9hl/N4.QvEQHCXVnQXw9dzFYlUDVKOcLMGp9eq}
       - AUTH_USERNAME=${AUTH_USERNAME:-user}
diff --git a/js/dataManager.js b/js/dataManager.js
index d4ff441..55767b5 100644
--- a/js/dataManager.js
+++ b/js/dataManager.js
@@ -20,7 +20,8 @@ const DataManager = (() => {
         return true;
     };
     
-    // Storage file path for Docker environment - this needs to match the API endpoint in data-api.js
+    // API endpoint path for data operations - this must match the API endpoint in data-api.js
+    // Note: This is NOT a file system path, but an API endpoint URL path
     const serverDataPath = '/data/weight-tracker-data.json';
     
     /**
diff --git a/nginx.conf b/nginx.conf
index 640a64a..adb15e6 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,3 +1,4 @@
+# Main server block
 server {
     listen 80;
     server_name localhost;
@@ -7,47 +8,30 @@ server {
     # Enable gzip compression
     gzip on;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
-    # Protect all routes with basic authentication
-    location / {
-        # Include authentication configuration
-        include /etc/nginx/auth.conf;
-        
-        # Serve static files
-        try_files $uri $uri/ =404;
-        
-        # CORS headers
-        add_header 'Access-Control-Allow-Origin' '*' always;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
-        add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
-        
-        # Handle preflight requests
-        if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' '*';
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
-            add_header 'Access-Control-Max-Age' 1728000;
-            add_header 'Content-Type' 'text/plain charset=UTF-8';
-            add_header 'Content-Length' 0;
-            return 204;
-        }
+    
+    # Global CORS configuration
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
+    
+    # Global OPTIONS handler
+    if ($request_method = 'OPTIONS') {
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
+        add_header 'Access-Control-Max-Age' 1728000;
+        add_header 'Content-Type' 'text/plain charset=UTF-8';
+        add_header 'Content-Length' 0;
+        return 204;
     }
     
-    # Special location for index.html to avoid redirection loops
-    location = /index.html {
-        # Include authentication configuration
-        include /etc/nginx/auth.conf;
+    # DATA API ENDPOINTS - NO AUTHENTICATION
+    # This location must be defined BEFORE the root location to take precedence
+    location ^~ /data/ {
+        # Explicitly disable authentication for data API
+        auth_basic off;
         
-        # CORS headers
-        add_header 'Access-Control-Allow-Origin' '*' always;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
-        add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
-    }
-
-    # Proxy requests to the data API - no auth required for API endpoints
-    location /data/ {
-        # No authentication for data API to allow the app to save/load data
-        auth_basic off; # Explicitly disable auth for data API
+        # API Proxy configuration
         proxy_pass http://localhost:3000/data/;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
@@ -56,26 +40,23 @@ server {
         proxy_cache_bypass $http_upgrade;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        
-        # CORS headers for data API
-        add_header 'Access-Control-Allow-Origin' '*' always;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
-        add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
-        
-        # Handle preflight requests for the API
-        if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' '*';
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
-            add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
-            add_header 'Access-Control-Max-Age' 1728000;
-            add_header 'Content-Type' 'text/plain charset=UTF-8';
-            add_header 'Content-Length' 0;
-            return 204;
-        }
     }
-
+    
+    # AUTHENTICATED APPLICATION ROUTES
+    # This covers all routes except those specifically excluded above
+    location / {
+        # Apply authentication
+        include /etc/nginx/auth.conf;
+        
+        # Serve static files
+        try_files $uri $uri/ /index.html;
+    }
+    
     # Enable browser caching for static assets
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+        # Include authentication for static assets
+        include /etc/nginx/auth.conf;
+        
         expires 30d;
         add_header Cache-Control "public, no-transform";
         add_header 'Access-Control-Allow-Origin' '*' always;