Watch Out For This NGINX Quirk!

NGINX has a nasty little quirk with its add_header directive that can easily bite you in a$$ if you’re not careful.

Put simply, if you use even a single add_header directive in a location block, it will remove all add_header directives from higher in the tree.

Practically speaking, you could run into a situation as follows:

  • You have a series of add_header directives in your server{} block. For example, you might include headers for things like X-Frame-Options, X-XSS-Protection and so on.
  • You create a location block for media files and add an add_header directive to cache those files using the Cache-Control header.

When you serve a file from that location block, what do you think you’ll see in the browser for the X-Frame-Options and X-XSS-Protection headers?

If you said NOTHING you’re correct. But most admins will not be expecting that!

As soon as you added the Cache-Control header to the location block, NGINX wiped out all the add_header directives you placed higher in the tree in the server{} block!

It’s a nasty little quirk that can bite you when you least expect it. But it’s fully documented in the NGINX manuals, though almost everyone misses it.

Was This Article Useful? Or do you have questions or comments about it (or our products & services)? We'd love to hear from you!

Please enter your name.
Please enter a message.
You must accept the Terms and Conditions.
Please check the captcha to verify you are not a robot.

Automatic Notification Of New Articles

Sign up to get automatic notifications of new articles.  This is a different list than our standard list - you only get new articles once a week (usually on Mondays).  No other emails will be sent unless you sign up for our general list as well.

Posted in