diff --git a/docker-compose.yml b/docker-compose.yml
index a2f35ea3c..6306c259e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,8 +6,8 @@ services:
         volumes:
             - "./:/d"
             - "./nginx.conf:/etc/nginx/sites-enabled/1"
-            - "./nginx-serve-static.conf:/etc/nginx/includes/serve-static"
-            - "./nginx-headers.conf:/etc/nginx/includes/headers"
+            - "./includes/serve-static:/etc/nginx/includes/serve-static"
+            - "./includes/headers:/etc/nginx/includes/headers"
         links:
             - "redis"
             - "postgres"
diff --git a/includes/headers b/includes/headers
new file mode 100644
index 000000000..c934843c7
--- /dev/null
+++ b/includes/headers
@@ -0,0 +1,6 @@
+add_header Referrer-Policy "same-origin";
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+add_header X-Frame-Options "deny";
+add_header X-Content-Type-Options "nosniff";
+add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; frame-ancestors 'none'; form-action 'self'; manifest-src 'self'; worker-src 'self'; base-uri 'self'; font-src 'self'; style-src-elem 'self'; style-src-attr 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' challenges.cloudflare.com; script-src-attr 'none'; script-src 'self' challenges.cloudflare.com; media-src 'self' https:; img-src 'self' https: data:; frame-src challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com rumble.com player.twitch.tv; connect-src 'self' videos.watchpeopledie.tv use1.fptls.com use1.fptls3.com api.fpjs.io;";
+add_header Cross-Origin-Opener-Policy "same-origin";
diff --git a/nginx-serve-static.conf b/includes/serve-static
similarity index 100%
rename from nginx-serve-static.conf
rename to includes/serve-static
diff --git a/nginx-headers.conf b/nginx-headers.conf
deleted file mode 100644
index 3c334db66..000000000
--- a/nginx-headers.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-add_header Referrer-Policy "same-origin";
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
-add_header X-Frame-Options "deny";
-add_header X-Content-Type-Options "nosniff";
-add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'self'; manifest-src 'self'; worker-src 'self'; base-uri 'self'; font-src 'self'; style-src-elem 'self'; style-src-attr 'unsafe-inline'; style-src 'self' 'unsafe-inline'; script-src-elem 'self' challenges.cloudflare.com; script-src-attr 'none'; script-src 'self' challenges.cloudflare.com; media-src 'self' https:; img-src 'self' https: data:; frame-src challenges.cloudflare.com www.youtube-nocookie.com platform.twitter.com rumble.com player.twitch.tv; connect-src 'self' use1.fptls.com use1.fptls3.com api.fpjs.io;";
-add_header Cross-Origin-Opener-Policy "same-origin";