diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index ca2211d6..ebd0ab8d 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -238,6 +238,12 @@ http {
             try_files /favicon.svg =404;
         }
 
+        location = /mask-icon.svg {
+            include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin" always;
+            add_header Cache-Control "public, max-age=31536000, immutable";
+        }
+
         location ^~ /fonts/ {
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "same-origin" always;
@@ -258,13 +264,6 @@ http {
             add_header Cache-Control "public, max-age=31536000, immutable";
         }
 
-        location ~ "\.svg$" {
-            include snippets/security-headers.conf;
-            # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
-            add_header Cross-Origin-Resource-Policy "cross-origin" always;
-            add_header Cache-Control "public, max-age=31536000";
-        }
-
         location ~ "\.png$" {
             include snippets/security-headers.conf;
             # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
diff --git a/process_static b/process_static
index 1bebae0f..1edd56d1 100755
--- a/process_static
+++ b/process_static
@@ -18,7 +18,7 @@ find static_tmp -name '*.css' -exec csso {} -o {} \;
 find static_tmp -name '*.js' -exec terser --module -cmo {} {} \;
 
 replace=""
-for file in static_tmp/**/*.css static_tmp/js/*.js; do
+for file in static_tmp/**/*.css static_tmp/js/*.js static_tmp/mask-icon.svg; do
     hash=$(sha256sum "$file" | head -c 8)
     dest="$(dirname $file)/$hash.$(basename $file)"
     mv "$file" "$dest"