Why not give headers X-Content-Type-Options, X-XSS-Protection https?

Hello everybody. I have server with nginx in conjunction with php-fpm. In the nginx configuration (/etc / nginx/nginx.conf) to block http prescribed:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1;mode=block";

When I open the website via http, these headers returned from the server, once switched to https and put a redirect on the version page over https, data headers the server returns. Tell me, please, why?
I checked the server's response, without typing the Protocol, the domain name and got this picture:
5c9a8c6a94766881460075.png
March 19th 20 at 08:44
1 answer
March 19th 20 at 08:46
Solution
nginx.org/ru/docs/http/ngx_http_headers_module.htm...
These directives are inherited from the previous level, provided that at this level are not described their directives add_header.

In the server block for https, there are add_header Strict-Transport-Security, so that the Directive from the previous level are not inherited.
THANK YOU VERY MUCH! - Jayme_VonRued commented on March 19th 20 at 08:49

Find more questions by tags HTTP headersHTTPSNginx