diff --git a/deploy/docker.nginx.template b/deploy/docker.nginx.template
index 218dc3139..4a66c0614 100644
--- a/deploy/docker.nginx.template
+++ b/deploy/docker.nginx.template
@@ -47,7 +47,7 @@ server {
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
 
-    location /front/embed.html {
+    location = /front/embed.html {
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
 
@@ -81,7 +81,7 @@ server {
     # this is an internal location that is used to serve
     # audio files once correct permission / authentication
     # has been checked on API side
-    location /_protected/media {
+    location /_protected/media/ {
         internal;
         alias   ${MEDIA_ROOT};
 
@@ -95,7 +95,7 @@ server {
     #     proxy_pass $1;
     # }
 
-    location /_protected/music {
+    location /_protected/music/ {
         # this is an internal location that is used to serve
         # audio files once correct permission / authentication
         # has been checked on API side
diff --git a/deploy/nginx.template b/deploy/nginx.template
index b0c048c1d..2e6c81081 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -93,7 +93,7 @@ server {
         add_header Pragma public;
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
-    location /front/embed.html {
+    location = /front/embed.html {
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
 
@@ -124,7 +124,7 @@ server {
         alias ${MEDIA_ROOT}/;
     }
 
-    location /_protected/media {
+    location /_protected/media/ {
         # this is an internal location that is used to serve
         # audio files once correct permission / authentication
         # has been checked on API side
@@ -141,7 +141,7 @@ server {
     #     proxy_pass $1;
     # }
 
-    location /_protected/music {
+    location /_protected/music/ {
         # this is an internal location that is used to serve
         # audio files once correct permission / authentication
         # has been checked on API side