OK, if I understand this right - in my original config I have 2 additional add_header (cache-control) directives in /image location. And these 2 directives prevent that the security headers will be applied on server level? It seems so as this will explain why it works when I apply the sec.headers on location level...

But how to handle domain-wide headers like those security headers and location specific ones like cache-control? I mean, without repeating all securty headers in each location?