diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 717a4691..7a5d8a8f 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -238,6 +238,13 @@ http {
             try_files /favicon.svg =404;
         }
 
+        location = /favicon.svg {
+            include snippets/security-headers.conf;
+            # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
+            add_header Cross-Origin-Resource-Policy "cross-origin" always;
+            add_header Cache-Control "public, max-age=604800";
+        }
+
         location = /mask-icon.svg {
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "same-origin" always;