Well this is particularly I noticed for https vhost config. The CSP headers are properly being displayed for http but not https.
Here is my config
more /etc/nginx/conf.d/sec-headers.conf
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;" always;
server {
include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
include /etc/nginx/conf.d/sec-headers.conf;
listen 80;
.
..
.
And here is https
server {
include /etc/nginx/apploxconf.d/applox-bots-declare.conf;
include /etc/nginx/conf.d/sec-headers.conf;
listen 443 ssl http2;
However https properly gets reflected but not with https.
curl -I http://www.xxxx.xxx
HTTP/1.1 301 Moved Permanently
Date: Wed, 30 Nov 2022 03:20:23 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.xxxx.xxxx
Server: applox-waf
Content-Security-Policy: default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;
HTTP/1.1 200 OK
Date: Wed, 30 Nov 2022 03:33:47 GMT
Content-Type: text/html
Content-Length: 37579
Connection: keep-alive
Cache-Control: private
Set-Cookie: ASPSESSIONIDSGSTSTQQ=KOMPLPOCKOFKKCOELBNALAKE; secure; path=/
Server: applox-waf
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
X-Frame-Options: SAMEORIGIN