“The recommended configuration for reverse proxies has been updated. [...] The change is about setting Content-Security-Policy: default-src 'none'; form-action 'none' and X-Content-Type-Options: nosniff on assets.”
This might be a bit confusing, because of the terminology:
Those two lines ought to to into the location ~ ^/system/ block - NOTlocation ~ ^/assets/
