APACHE to NGINX | content-security-policy.conf

APACHE_content-security-policy.conf

# REF: https://github.com/h5bp/server-configs-apache/blob/master/src/security/content-security-policy.conf

<IfModule mod_headers.c>
    Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
        Header unset Content-Security-Policy
    </FilesMatch>

</IfModule>

NGINX_content-security-policy.conf

# by default add some general content-security-policy
add_header Content-Security-Policy "object-src 'self'; script-src 'self'; report-uri 'https://a64f09869d9d888886f95be0f597d7ec.report-uri.io/r/default/csp/enforce' ";

# now unset Content-Security-Policy for resources matching all below
location ~* \.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$ {
  more_clear_headers 'Content-Security-Policy';
}

Seems you want to use something like this module : https://github.com/openresty/headers-more-nginx-module#installation . Some information obtained via http://stackoverflow.com/questions/10053119/how-can-remove-nginx-from-http-response-header .

thanks @harikt, the 2nd link I think is putting me on the track..