diff --git a/apps/drupal/microcache_fcgi.conf b/apps/drupal/microcache_fcgi.conf
index ea4e3f77..e7e8184c 100644
--- a/apps/drupal/microcache_fcgi.conf
+++ b/apps/drupal/microcache_fcgi.conf
@@ -23,29 +23,10 @@ fastcgi_ignore_headers Cache-Control Expires;
 ## Bypass the cache.
 fastcgi_cache_bypass $no_cache;
 fastcgi_no_cache $no_cache;
-## Add a cache miss/hit status header.
-add_header X-Micro-Cache $upstream_cache_status;
+
 ## To avoid any interaction with the cache control headers we expire
 ## everything on this location immediately.
 expires epoch;
-## Enable clickjacking protection in modern browsers. Available in
-## IE8 also. See
-## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
-## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
-## Uncomment the line below if you're not using media streaming.
-## For sites *not* using frames uncomment the line below.
-#add_header X-Frame-Options DENY;
-## For sites *using* frames uncomment the line below.
-#add_header X-Frame-Options SAMEORIGIN;
-
-## Block MIME type sniffing on IE.
-add_header X-Content-Options nosniff;
-
-## Strict Transport Security header for enhanced security. See
-## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-## whichever age you want.
-## Uncomment the line below if you're using HTTPS.
-#add_header Strict-Transport-Security max-age=7200;
 
 ## If you're using a Nginx version greater than 1.1.11 then uncomment
 ## the line below. See:
diff --git a/nginx.conf b/nginx.conf
index 2da6d130..67899376 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -163,9 +163,17 @@ http {
     ## line below.
     add_header X-Frame-Options DENY;
 
+    ## Enable this if using HTTPS. See sites-available/example.com.conf
+    ## for details.
+    #add_header Strict-Transport-Security "max-age=7200";
+
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;
 
+    ## Add a cache miss/hit status header. This can be disabled if not including
+    ## any of the apps/drupal/microcache* files.
+    add_header X-Micro-Cache $upstream_cache_status;
+
     ## Include the upstream servers for PHP FastCGI handling config.
     ## This one uses the FCGI process listening on TCP sockets.
     include upstream_phpcgi_tcp.conf;
diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
index 87775d81..04923cd0 100644
--- a/sites-available/example.com.conf
+++ b/sites-available/example.com.conf
@@ -173,8 +173,11 @@ server {
 
     ## Strict Transport Security header for enhanced security. See
     ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-    ## whichever age you want.
-    add_header Strict-Transport-Security "max-age=7200";
+    ## whichever age you want. However, we can't set this here because adding
+    ## a header will drop all other headers set earlier. See
+    ## http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+    ## for details.  Instead, uncomment this in nginx.conf.
+    ## add_header Strict-Transport-Security "max-age=7200";
 
     root /var/www/sites/example.com;
     index index.php;