http { add_header X-Frame-Options "DENY" always; server { location /new-headers { add_header X-Frame-Options "DENY" always; add_header X-Foo foo; } } }