Watch Out For This NGINX Quirk!

NGINX has a nasty little quirk with its add_header directive that can easily bite you in a$$ if you’re not careful.

Put simply, if you use even a single add_header directive in a location block, it will remove all add_header directives from higher in the tree.

Practically speaking, you could run into a situation as follows:

  • You have a series of add_header directives in your server{} block. For example, you might include headers for things like X-Frame-Options, X-XSS-Protection and so on.
  • You create a location block for media files and add an add_header directive to cache those files using the Cache-Control header.

When you serve a file from that location block, what do you think you’ll see in the browser for the X-Frame-Options and X-XSS-Protection headers?

If you said NOTHING you’re correct. But most admins will not be expecting that!

As soon as you added the Cache-Control header to the location block, NGINX wiped out all the add_header directives you placed higher in the tree in the server{} block!

It’s a nasty little quirk that can bite you when you least expect it. But it’s fully documented in the NGINX manuals, though almost everyone misses it.

Automatic Notification Of New Articles

Sign up to get automatic notifications of new articles.  This is a different list than our standard list - you only get new articles within 24 hours of publication.  No other emails will be sent unless you sign up for our general list as well.

Posted in