diff --git a/charts/countly-web-ui-canary/templates/ingress-master.yaml b/charts/countly-web-ui-canary/templates/ingress-master.yaml
index 2ff5ada..6e75e12 100644
--- a/charts/countly-web-ui-canary/templates/ingress-master.yaml
+++ b/charts/countly-web-ui-canary/templates/ingress-master.yaml
@@ -13,6 +13,13 @@ metadata:
     # ssl-redirect default flips to true when a tls: block is set; keep
     # plain HTTP open for the ACME challenge on issuance and renewal.
     nginx.org/ssl-redirect: "false"
+    {{- if .Values.ingress.tls.proxyHideHSTS }}
+    # F5 NIC ignores `nginx.org/proxy-hide-headers` on minions in mergeable
+    # mode — it only honors it at master. Strip HSTS leaking from the
+    # stable backend so a misconfigured canary can't pin a browser to
+    # expecting valid TLS for <slug>.v2.count.ly after the canary is gone.
+    nginx.org/proxy-hide-headers: "Strict-Transport-Security"
+    {{- end }}
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
diff --git a/charts/countly-web-ui-canary/templates/ingress-minion.yaml b/charts/countly-web-ui-canary/templates/ingress-minion.yaml
index df61f58..311fbab 100644
--- a/charts/countly-web-ui-canary/templates/ingress-minion.yaml
+++ b/charts/countly-web-ui-canary/templates/ingress-minion.yaml
@@ -15,10 +15,12 @@ metadata:
   annotations:
     nginx.org/mergeable-ingress-type: minion
     {{- if .Values.ingress.tls.proxyHideHSTS }}
-    # Strip HSTS leaking from the stable backend so a misconfigured canary
-    # can't pin a browser to expecting valid TLS for <slug>.v2.count.ly
-    # after the canary is torn down.
-    nginx.org/proxy-hide-headers: "Strict-Transport-Security"
+    # Snippet fallback: F5 NIC's `nginx.org/proxy-hide-headers` annotation
+    # is master-level, but proxy_hide_header is a per-location directive,
+    # so we also drop it directly into each minion path's location block.
+    # Belt-and-suspenders against HSTS leaking from the stable backend.
+    nginx.org/location-snippets: |
+      proxy_hide_header Strict-Transport-Security;
     {{- end }}
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec: