diff --git a/config/nginx.sample.conf b/config/nginx.sample.conf
index b3c990adde9..62e619e9ec0 100644
--- a/config/nginx.sample.conf
+++ b/config/nginx.sample.conf
@@ -115,7 +115,6 @@ server {
     location ~* (fonts|assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico|otf)$ {
       expires 1y;
       add_header Cache-Control public,immutable;
-      add_header Access-Control-Allow-Origin *;
     }
 
     location = /srv/status {
@@ -135,7 +134,6 @@ server {
     location ~ ^/javascripts/ {
       expires 1d;
       add_header Cache-Control public,immutable;
-      add_header Access-Control-Allow-Origin *;
     }
 
     location ~ ^/assets/(?<asset_path>.+)$ {
@@ -183,10 +181,12 @@ server {
 
       # custom CSS
       location ~ /stylesheet-cache/ {
+          add_header Access-Control-Allow-Origin *;
           try_files $uri =404;
       }
       # this allows us to bypass rails
       location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico|webp)$ {
+          add_header Access-Control-Allow-Origin *;
           try_files $uri =404;
       }
       # SVG needs an extra header attached
@@ -194,6 +194,7 @@ server {
       }
       # thumbnails & optimized images
       location ~ /_?optimized/ {
+          add_header Access-Control-Allow-Origin *;
           try_files $uri =404;
       }
 
@@ -252,6 +253,7 @@ server {
       break;
     }
 
+    add_header Access-Control-Allow-Origin *;
     # this means every file in public is tried first
     try_files $uri @discourse;
   }