Bug: nginx security headers dropped on static assets (add_header inheritance) #1960
Description
Problem
In docker/nginx/nginx-ssl.conf, the static assets location block uses add_header Cache-Control ... which replaces all parent-level add_header directives (nginx inheritance behavior). This silently drops HSTS, X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection from all JS, CSS, image, and font responses.
Same issue at the /health location block where add_header Content-Type ... also erases inherited security headers.
Discovered During
Code review of PR #1934 (#1896)
Impact
Severity: medium — security headers missing on static assets
Fix
Repeat security headers inside child location blocks, or use ngx_headers_more module.