Headers inconsistent

[ansibleguy]

Not really sure if it's my setup, but the headers seem to be set inconsistently.
I see them on redirects (301), but not on the actual site-load (200) [with static page content served].

I use the plain_only mode.

Alias domain:

curl -v http://<IP> -H "Host: <ALIAS>"
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Fri, 06 Sep 2024 14:46:37 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: http://<CANONICAL>/
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Referrer-Policy: strict-origin-when-cross-origin
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-Permitted-Cross-Domain-Policies: none
< Content-Security-Policy: ...

Canonical:

< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 06 Sep 2024 14:46:51 GMT
< Content-Type: text/html
< Content-Length: 11695
< Last-Modified: Fri, 06 Sep 2024 14:30:05 GMT
< Connection: keep-alive
< ETag: "66db11ed-2daf"
< Cache-Control: no-store, no-cache, must-revalidate
< Accept-Ranges: bytes

Config:

server {
  listen 80;
  listen [::]:80;
  server_name <CANONICAL> <ALIAS>;

  if ($host != $server_name) {
    rewrite ^/(.*) $scheme://$server_name/$1 permanent;
  }

  ...

  # global headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
  add_header Referrer-Policy strict-origin-when-cross-origin;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-Permitted-Cross-Domain-Policies none;

  # site-specific headers
  add_header Content-Security-Policy "...";

Not really sure how & why this happens.

[ansibleguy]

Seen that there are updates available.. maybe a bug.
Nope - no change