Use `always` for security headers

[lognaturel]

By default, nginx only applies headers to success responses. Security-related headers, especially CSP, should always be applied: https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

[matthew-white]

Closed by #1651.