Behavior of security headers
Valentin V. Bartenev
vbart at nginx.com
Mon Jan 26 13:29:20 UTC 2015
On Monday 26 January 2015 06:19:54 okamzol wrote:
> I've a question regarding the different security headers
> (Content-Security-Policy, etc.) which can be set via add_header.
> In the docs it is mentioned that "add_header" can be set on every level
> (http, server, location). So i tried to set some security related header in
> the server block related to one domain. But this did not work as expected -
> in detail it did not work at all. Even the "Strict-Transport-Security"
> header did not work on server level...
> My first guess was that the used nginx version (1.6.2 stable) may have some
> problems.. So I've updated to 1.7.9 from mainline repo. But nothing
> After some resultless googling for this problem I tried a lot of
> combinations and found that all headers work on only on location level -
> which confused me. In my opinion these headers shall work on server level as
> well or do I misunderstand something in these mechanisms?
I guess this sentence from the documentation can shed light on your problem:
| These directives are inherited from the previous level if and only if
| there are no add_header directives defined on the current level.
wbr, Valentin V. Bartenev
More information about the nginx