diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 0067d31e..f5e31702 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -238,6 +238,14 @@ http {
             return 301 /;
         }
 
+        location ^~ /fonts/ {
+            include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin" always;
+            add_header Cache-Control "public, max-age=31536000, immutable";
+            gzip_static off;
+            brotli_static off;
+        }
+
         location ~ "\.webmanifest$" {
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "same-origin" always;
@@ -257,14 +265,6 @@ http {
             add_header Cache-Control "public, max-age=31536000";
         }
 
-        location ~ "\.woff2$" {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, max-age=31536000, immutable";
-            gzip_static off;
-            brotli_static off;
-        }
-
         location ~ "\.png$" {
             include snippets/security-headers.conf;
             # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880