Behavior of security headers

Valentin V. Bartenev vbart at
Mon Jan 26 13:29:20 UTC 2015

On Monday 26 January 2015 06:19:54 okamzol wrote:
> Hi,
> I've a question regarding the different security headers
> (Content-Security-Policy, etc.) which can be set via add_header. 
> In the docs it is mentioned that "add_header" can be set on every level
> (http, server, location). So i tried to set some security related header in
> the server block related to one domain. But this did not work as expected -
> in detail it did not work at all. Even the "Strict-Transport-Security"
> header did not work on server level...
> My first guess was that the used nginx version (1.6.2 stable) may have some
> problems.. So I've updated to 1.7.9 from mainline repo. But nothing
> changed...
> After some resultless googling for this problem I tried a lot of
> combinations and found that all headers work on only on location level -
> which confused me. In my opinion these headers shall work on server level as
> well or do I misunderstand something in these mechanisms?

I guess this sentence from the documentation can shed light on your problem:

 | These directives are inherited from the previous level if and only if
 | there are no add_header directives defined on the current level.

  wbr, Valentin V. Bartenev

More information about the nginx mailing list