diff --git a/h5bp/basic.conf b/h5bp/basic.conf
index e2b8eac0..fa23bee7 100644
--- a/h5bp/basic.conf
+++ b/h5bp/basic.conf
@@ -3,5 +3,3 @@
 
 include h5bp/internet_explorer/x-ua-compatible.conf;
 include h5bp/location/security_file_access.conf;
-include h5bp/location/web_performance_cache_expiration.conf;
-include h5bp/location/cross-origin_web_fonts.conf;
diff --git a/h5bp/cross-origin/requests.conf b/h5bp/cross-origin/requests.conf
index 7692fe96..052d087b 100644
--- a/h5bp/cross-origin/requests.conf
+++ b/h5bp/cross-origin/requests.conf
@@ -16,4 +16,4 @@
 # Allow access based on [sub]domain:
 #    add_header Access-Control-Allow-Origin "subdomain.example.com";
 
-add_header Access-Control-Allow-Origin "*";
+add_header Access-Control-Allow-Origin $cors;
diff --git a/h5bp/internet_explorer/x-ua-compatible.conf b/h5bp/internet_explorer/x-ua-compatible.conf
index 64ea2685..7fb1d25e 100644
--- a/h5bp/internet_explorer/x-ua-compatible.conf
+++ b/h5bp/internet_explorer/x-ua-compatible.conf
@@ -16,4 +16,4 @@
 # https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
 # https://msdn.microsoft.com/en-us/library/ff955275.aspx
 
-add_header X-UA-Compatible "IE=Edge";
+add_header X-UA-Compatible $x_ua_compatible;
diff --git a/h5bp/location/cross-origin_images.conf b/h5bp/location/cross-origin_images.conf
deleted file mode 100644
index ed100b22..00000000
--- a/h5bp/location/cross-origin_images.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# ----------------------------------------------------------------------
-# | Cross-origin images                                                |
-# ----------------------------------------------------------------------
-
-# Send the CORS header for images when browsers request it.
-#
-# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
-# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
-
-location ~* \.(?:bmp|cur|gif|ico|jpe?g|png|svgz?|webp?)$ {
-  include h5bp/cross-origin/requests.conf;
-
-  # Also, set cache rules for images.
-  #
-  # https://nginx.org/en/docs/http/ngx_http_core_module.html#location
-  access_log off;
-  expires 1M;
-}
diff --git a/h5bp/location/cross-origin_web_fonts.conf b/h5bp/location/cross-origin_web_fonts.conf
deleted file mode 100644
index 3f700cd3..00000000
--- a/h5bp/location/cross-origin_web_fonts.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# ----------------------------------------------------------------------
-# | Cross-origin web fonts                                             |
-# ----------------------------------------------------------------------
-
-# Allow cross-origin access to web fonts.
-#
-# https://developers.google.com/fonts/docs/troubleshooting
-
-location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
-  include h5bp/cross-origin/requests.conf;
-
-  # Also, set cache rules for web fonts.
-  #
-  # https://nginx.org/en/docs/http/ngx_http_core_module.html#location
-  # https://github.com/h5bp/server-configs/issues/85
-  # https://github.com/h5bp/server-configs/issues/86
-  access_log off;
-  expires 1M;
-}
diff --git a/h5bp/location/web_performance_cache_expiration.conf b/h5bp/location/web_performance_cache_expiration.conf
deleted file mode 100644
index cdb2596d..00000000
--- a/h5bp/location/web_performance_cache_expiration.conf
+++ /dev/null
@@ -1,57 +0,0 @@
-# ----------------------------------------------------------------------
-# | Cache expiration                                                   |
-# ----------------------------------------------------------------------
-
-# Serve resources with far-future expiration date.
-#
-# (!) If you don't control versioning with filename-based
-# cache busting, you should consider lowering the cache times
-# to something like one week.
-#
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
-# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
-
-# No default expire rule. This config mirrors that of apache as outlined in the
-# html5-boilerplate .htaccess file. However, nginx applies rules by location,
-# the apache rules are defined by type. A consequence of this difference is that
-# if you use no file extension in the url and serve html, with apache you get an
-# expire time of 0s, with nginx you'd get an expire header of one month in the
-# future (if the default expire rule is 1 month). Therefore, do not use a
-# default expire rule with nginx unless your site is completely static
-
-# Documents
-location ~* \.(?:manifest|appcache|html?|xml|json)$ {
-  expires 0;
-}
-
-# Feeds
-location ~* \.(?:rss|atom)$ {
-  expires 1h;
-}
-
-# Media files
-location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
-  access_log off;
-  expires 1M;
-}
-
-# Media: svgz files are already compressed.
-location ~* \.svgz$ {
-  access_log off;
-  gzip off;
-  expires 1M;
-}
-
-# CSS and JavaScript
-location ~* \.(?:css|js)$ {
-  expires 1y;
-  access_log off;
-}
-
-# Web fonts
-# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
-# location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
-#   expires 1M;
-#   access_log off;
-# }
diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf
index fb36a5e2..f5a92e61 100644
--- a/h5bp/security/content-security-policy.conf
+++ b/h5bp/security/content-security-policy.conf
@@ -20,4 +20,4 @@
 # https://content-security-policy.com/
 # https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 
-add_header Content-Security-Policy "script-src 'self'; object-src 'self'" always;
+add_header Content-Security-Policy $content_security_policy always;
diff --git a/h5bp/security/x-frame-options.conf b/h5bp/security/x-frame-options.conf
index f0a5e9ec..6f931088 100644
--- a/h5bp/security/x-frame-options.conf
+++ b/h5bp/security/x-frame-options.conf
@@ -33,4 +33,4 @@
 # https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
 # https://www.owasp.org/index.php/Clickjacking
 
-add_header X-Frame-Options DENY always;
+add_header X-Frame-Options $x_frame_options always;
diff --git a/h5bp/security/x-xss-protection.conf b/h5bp/security/x-xss-protection.conf
index 71a5154c..8ebc0615 100644
--- a/h5bp/security/x-xss-protection.conf
+++ b/h5bp/security/x-xss-protection.conf
@@ -35,5 +35,4 @@
 # https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
 # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
 
-#                           (1)    (2)
-add_header X-XSS-Protection "1; mode=block" always;
+add_header X-XSS-Protection $x_xss_protection always;
diff --git a/h5bp/web_performance/cache_expiration.conf b/h5bp/web_performance/cache_expiration.conf
new file mode 100644
index 00000000..84b7aed5
--- /dev/null
+++ b/h5bp/web_performance/cache_expiration.conf
@@ -0,0 +1,88 @@
+# ----------------------------------------------------------------------
+# | Cache expiration                                                   |
+# ----------------------------------------------------------------------
+
+# Serve resources with far-future expiration date.
+#
+# (!) If you don't control versioning with filename-based
+# cache busting, you should consider lowering the cache times
+# to something like one week.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
+# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
+
+map $sent_http_content_type $expires {
+  default                               1M;
+
+  # CSS
+  text/css                              1y;
+
+  # Data interchange
+  application/atom+xml                  1h;
+  application/rdf+xml                   1h;
+  application/rss+xml                   1h;
+
+  application/json                      0;
+  application/ld+json                   0;
+  application/schema+json               0;
+  application/geo+json                  0;
+  application/xml                       0;
+  text/calendar                         0;
+  text/xml                              0;
+
+  # Favicon (cannot be renamed!) and cursor images
+  image/vnd.microsoft.icon              1w;
+  image/x-icon                          1w;
+
+  # HTML
+  text/html                             0;
+
+  # JavaScript
+  application/javascript                1y;
+  application/x-javascript              1y;
+  text/javascript                       1y;
+
+  # Manifest files
+  application/manifest+json             1w;
+  application/x-web-app-manifest+json   0;
+  text/cache-manifest                   0;
+
+
+  # Markdown
+  text/markdown                         0;
+
+  # Media files
+  audio/ogg                             1M;
+  image/bmp                             1M;
+  image/gif                             1M;
+  image/jpeg                            1M;
+  image/png                             1M;
+  image/svg+xml                         1M;
+  image/webp                            1M;
+  video/mp4                             1M;
+  video/ogg                             1M;
+  video/webm                            1M;
+
+  # WebAssembly
+  application/wasm                      1y;
+
+  # Web fonts
+  font/collection                       1M;
+  application/vnd.ms-fontobject         1M;
+  font/eot                              1M;
+  font/opentype                         1M;
+  font/otf                              1M;
+  application/x-font-ttf                1M;
+  font/ttf                              1M;
+  application/font-woff                 1M;
+  application/x-font-woff               1M;
+  font/woff                             1M;
+  application/font-woff2                1M;
+  font/woff2                            1M;
+
+  # Other
+  text/x-cross-domain-policy            1w;
+}
+
+expires $expires;
diff --git a/nginx.conf b/nginx.conf
index e67af271..3ea3dd46 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -93,6 +93,61 @@ http {
   # Enable gzip compression.
   include h5bp/web_performance/compression.conf;
 
+  # Specify file cache expiration.
+  include h5bp/web_performance/cache_expiration.conf;
+
+  # Add X-XSS-Protection for HTML documents.
+  # h5bp/security/x-xss-protection.conf
+  map $sent_http_content_type $x_xss_protection {
+    #         (1)    (2)
+    text/html "1; mode=block";
+  }
+
+  # Add X-Frame-Options for HTML documents.
+  # h5bp/security/x-frame-options.conf
+  map $sent_http_content_type $x_frame_options {
+    text/html DENY;
+  }
+
+  # Add Content-Security-Policy for HTML documents.
+  # h5bp/security/content-security-policy.conf
+  map $sent_http_content_type $content_security_policy {
+    text/html "script-src 'self'; object-src 'self'";
+  }
+
+  # Add X-UA-Compatible for HTML documents.
+  # h5bp/internet_explorer/x-ua-compatible.conf
+  map $sent_http_content_type $x_ua_compatible {
+    text/html "IE=edge";
+  }
+
+  # Add Access-Control-Allow-Origin.
+  # h5bp/cross-origin/requests.conf
+  map $sent_http_content_type $cors {
+    # Images
+    image/bmp     "*";
+    image/gif     "*";
+    image/jpeg    "*";
+    image/png     "*";
+    image/svg+xml "*";
+    image/webp    "*";
+    image/x-icon  "*";
+
+    # Web fonts
+    font/collection               "*";
+    application/vnd.ms-fontobject "*";
+    font/eot                      "*";
+    font/opentype                 "*";
+    font/otf                      "*";
+    application/x-font-ttf        "*";
+    font/ttf                      "*";
+    application/font-woff         "*";
+    application/x-font-woff       "*";
+    font/woff                     "*";
+    application/font-woff2        "*";
+    font/woff2                    "*";
+  }
+
   # Include files in the conf.d folder.
   # server{} configuration files should be placed in the conf.d folder.
   # The configurations should be disabled by prefixing files with a dot.