diff --git a/puppet/zulip/files/nginx/zulip-include-common/api_headers b/puppet/zulip/files/nginx/zulip-include-common/api_headers
new file mode 100644
index 0000000000..9e4718e142
--- /dev/null
+++ b/puppet/zulip/files/nginx/zulip-include-common/api_headers
@@ -0,0 +1,3 @@
+add_header Access-Control-Allow-Origin *;
+add_header Access-Control-Allow-Headers Authorization;
+add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD';
diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/app b/puppet/zulip/files/nginx/zulip-include-frontend/app
index 09adf20930..4ff23dc3e1 100644
--- a/puppet/zulip/files/nginx/zulip-include-frontend/app
+++ b/puppet/zulip/files/nginx/zulip-include-frontend/app
@@ -27,15 +27,9 @@ location ~ /json/events {
 
 # Send longpoll requests to Tornado
 location /api/v1/events {
-
-    add_header Access-Control-Allow-Origin *;
-    add_header Access-Control-Allow-Headers Authorization;
-    add_header Access-Control-Allow-Methods 'GET, POST';
+    include /etc/nginx/zulip-include/api_headers;
 
     if ($request_method = 'OPTIONS') {
-        add_header Access-Control-Allow-Origin *;
-        add_header Access-Control-Allow-Headers Authorization;
-        add_header Access-Control-Allow-Methods 'GET, POST';
         add_header 'Content-Type' 'text/plain charset=UTF-8';
         add_header 'Content-Length' 0;
         return 204;
@@ -60,15 +54,20 @@ location / {
     uwsgi_pass django;
 }
 
-# Certain Django routes not under /api are shared between mobile and
-# web and thus need API headers added.  We don't collapse this with the
-# above block for /events, because regular expressions take priority over
-# paths in nginx's order-of-operations, and we don't want to override the
-# tornado stuff.
-location ~ ^/(user_uploads|avatar|thumbnail)/ {
-    add_header Access-Control-Allow-Origin *;
-    add_header Access-Control-Allow-Headers Authorization;
-    add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD';
+# These Django routes not under /api are shared between mobile and
+# web, and thus need API headers added.  We can't easily collapse
+# these blocks with the /api block, because regular expressions take
+# priority over paths in nginx's order-of-operations, and we don't
+# want to override the tornado configuration for /api/v1/events.  The
+# last is handled via uploads-route.
+location /thumbnail {
+    include /etc/nginx/zulip-include/api_headers;
+
+    include uwsgi_params;
+    uwsgi_pass django;
+}
+location /avatar {
+    include /etc/nginx/zulip-include/api_headers;
 
     include uwsgi_params;
     uwsgi_pass django;
@@ -76,12 +75,11 @@ location ~ ^/(user_uploads|avatar|thumbnail)/ {
 
 # Send all API routes not covered above to Django via uWSGI
 location /api/ {
-    add_header Access-Control-Allow-Origin *;
-    add_header Access-Control-Allow-Headers Authorization;
-    add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD';
+    include /etc/nginx/zulip-include/api_headers;
 
     include uwsgi_params;
     uwsgi_pass django;
 }
 
+include /etc/nginx/zulip-include/uploads.route;
 include /etc/nginx/zulip-include/app.d/*.conf;
diff --git a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
index 329250cbcc..932c9bb3b7 100644
--- a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
+++ b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.direct
@@ -1,4 +1,10 @@
+# This Django route not under /api is shared between mobile and web
+# and thus needs API headers added, in addition to the configuration
+# required to have it serve files directly.
+
 location /user_uploads {
+    include /etc/nginx/zulip-include/api_headers;
+
     add_header X-Content-Type-Options nosniff;
     add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; object-src 'self'; plugin-types application/pdf;";
     include /etc/nginx/zulip-include/uploads.types;
diff --git a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
index 6bad36e825..c429a8b6f4 100644
--- a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
+++ b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.internal
@@ -5,3 +5,14 @@ location /serve_uploads {
     include /etc/nginx/zulip-include/uploads.types;
     alias /home/zulip/uploads/files;
 }
+
+# This Django route not under /api is shared between mobile and web
+# and thus needs API headers added, in addition to the configuration
+# required to have this URL be served by Django.
+
+location /user_uploads {
+    include /etc/nginx/zulip-include/api_headers;
+
+    include uwsgi_params;
+    uwsgi_pass django;
+}
diff --git a/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.noserve b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.noserve
new file mode 100644
index 0000000000..0325dfd1b1
--- /dev/null
+++ b/puppet/zulip/files/nginx/zulip-include-maybe/uploads-route.noserve
@@ -0,0 +1,10 @@
+# This Django route not under /api is shared between mobile and web
+# and thus needs API headers added, in addition to the configuration
+# required to have this URL be served by Django.
+
+location /user_uploads {
+    include /etc/nginx/zulip-include/api_headers;
+
+    include uwsgi_params;
+    uwsgi_pass django;
+}
diff --git a/puppet/zulip/manifests/nginx.pp b/puppet/zulip/manifests/nginx.pp
index 4317a5d4aa..3a6341ce84 100644
--- a/puppet/zulip/manifests/nginx.pp
+++ b/puppet/zulip/manifests/nginx.pp
@@ -41,6 +41,11 @@ class zulip::nginx {
     'trusty' => 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.direct',
     default  => 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.internal',
   }
+  $no_serve_uploads = zulipconf('application_server', 'no_serve_uploads', '')
+  if $no_serve_uploads != '' {
+    # If we're not serving uploads locally, set the appropriate API headers for it.
+    $uploads_route = 'puppet:///modules/zulip/nginx/zulip-include-maybe/uploads-route.noserve'
+  }
 
   file { '/etc/nginx/zulip-include/uploads.route':
     ensure  => file,
diff --git a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
index 28c58a5034..9b1bfe1b37 100644
--- a/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
+++ b/puppet/zulip/templates/nginx/zulip-enterprise.template.erb
@@ -37,7 +37,4 @@ server {
 
     include /etc/nginx/zulip-include/certbot;
     include /etc/nginx/zulip-include/app;
-<% if @no_serve_uploads == '' -%>
-    include /etc/nginx/zulip-include/uploads.route;
-<% end -%>
 }