From d4e4cca682d56f4ff8d7973eb1420719aafc47b0 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 18 Jun 2021 20:22:34 -0400
Subject: [PATCH] set security headers on error responses too

---
 nginx/nginx.conf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index ed17698..6146e0b 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -90,9 +90,9 @@ http {
 
         include snippets/security-headers.conf;
         add_header Cross-Origin-Resource-Policy "same-origin" always;
-        add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
+        add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always;
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
-        add_header X-Frame-Options "DENY";
+        add_header X-Frame-Options "DENY" always;
 
         location = / {
             return 301 https://grapheneos.org/articles/grapheneos-servers#matrix.grapheneos.org;
@@ -103,9 +103,9 @@ http {
             proxy_hide_header X-Frame-Options;
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "cross-origin" always;
-            add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content";
+            add_header Content-Security-Policy "script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always;
             # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
-            add_header X-Frame-Options "DENY";
+            add_header X-Frame-Options "DENY" always;
             add_header X-Robots-Tag "none";
 
             proxy_pass http://backend;
@@ -132,9 +132,9 @@ http {
 
         include snippets/security-headers.conf;
         add_header Cross-Origin-Resource-Policy "same-origin" always;
-        add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content";
+        add_header Content-Security-Policy "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content" always;
         # obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
-        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Robots-Tag "none";
     }