Actually, this is not what I observe (with nginx 1.16.1). If I put a restrictive header like "default-src 'none';" in the top-level nginx.conf, and something like "default-src 'self' 'unsafe-inline';" inside a location block of a site requiring 'unsafe-inline', the site breaks. This behavior is the correct one for two header lines one after the other, because the browser only allows later headers to restrict the CSP, not to relax it.
The behavior I observe is consistent with curl only showing the last header, with the browser seeing them all, because nginx is in fact sending them in order.
Comment
Actually, this is not what I observe (with nginx 1.16.1). If I put a restrictive header like "default-src 'none';" in the top-level nginx.conf, and something like "default-src 'self' 'unsafe-inline';" inside a location block of a site requiring 'unsafe-inline', the site breaks. This behavior is the correct one for two header lines one after the other, because the browser only allows later headers to restrict the CSP, not to relax it.
The behavior I observe is consistent with curl only showing the last header, with the browser seeing them all, because nginx is in fact sending them in order.