From b08c5f495e8e02695a2bf03dcf60254d2f566163 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Neves?= <andrerfneves@users.noreply.github.com>
Date: Fri, 19 Jun 2026 10:04:36 +0000
Subject: [PATCH] fix(nginx): add security headers to static assets location
 block

In nginx, add_header directives are NOT inherited from the
server level to a location block that defines its own add_header.
The static assets location block set add_header Cache-Control,
which prevented server-level security headers (X-Frame-Options,
X-Content-Type-Options, X-XSS-Protection, Referrer-Policy) from
being applied to cached static assets.

This fix duplicates the security headers inside the static assets
location block so that all responses receive consistent headers
regardless of which location block processes them.
---
 nginx.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nginx.conf b/nginx.conf
index 8dd15fe..b825e45 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -12,6 +12,10 @@ server {
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
         expires 1y;
         add_header Cache-Control "public, immutable";
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     }
 
     # Security headers