Mistake in nginx config from documentation?

The nginx documentation (https://docs.nextcloud.com/server/12/admin_manual/installation/nginx.html) shows a lot of headers that we can add:

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;

and add_header Strict-Transport-Security

Lower down the page in the block beginning

location ~ \.(?:css|js|woff|svg|gif)$ {

the same headers are there. Are both needed?

Yes, they are both needed. See nginx-docu:

Because the cache-control is added, all other headers won’t be inherited and thus have to be there as well.

Then they are missing for the other locations block?

No. In the other location blocks there are no add_header directives and the add_header directives are then inherited from the previous level.

The nginx documentation describes it quite well:
„These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.“

1 Like

That means it doesn’t get inherited for this block only because of the “cache-control” line, right?

So if I add headers I have to add them in both blocks, right?

PS: wouldn’t it be more comfortable to set all the headers in a separate file called “headers.conf” and load them with “include headers.conf” at the two locations in the nginx vHost configuration?

How does nginx handle this?
Will they be inserted in the correct place? That means in the exact place where I put the “include” line?

Yes and yes.

That is possible. It is up to you to decide whether this is more comfortable for you :wink:

Basically the line with the include-directive will be replaced with the contents of the included file. Thus the included file needs to have correct nginx configuration syntax.