diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 6a6dbb1c..b62b5633 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -216,7 +216,7 @@ http {
 
         location = /favicon.ico {
             if ($http_accept ~ "image/svg\+xml") {
-                rewrite ^ /favicon.svg last;
+                rewrite ^ /favicon.ico.svg last;
             }
             include snippets/security-headers.conf;
             # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
@@ -224,6 +224,15 @@ http {
             add_header Cache-Control "public, max-age=604800";
         }
 
+        location = /favicon.ico.svg {
+            internal;
+            include snippets/security-headers.conf;
+            # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
+            add_header Cache-Control "public, max-age=604800";
+            try_files /favicon.svg =404;
+        }
+
         # broken link (now fixed) on https://noagendaphone.com/ with UTF-8 replacement character
         location ~ "^/\xEF\xBF\xBC$" {
             return 301 /;