Skip to content

Instantly share code, notes, and snippets.

@R0GGER

R0GGER/_hsts.conf

Last active May 22, 2025 19:00
Show Gist options
  • Save R0GGER/916183fca41f02df1471a6f455e5869f to your computer and use it in GitHub Desktop.
Save R0GGER/916183fca41f02df1471a6f455e5869f to your computer and use it in GitHub Desktop.
Download ZIP
Workaround - Security Headers @ NGINX Proxy Manager
Raw
_hsts.conf
{% if certificate and certificate_id > 0 -%}
{% if ssl_forced == 1 or ssl_forced == true %}
{% if hsts_enabled == 1 or hsts_enabled == true %}
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Permissions-Policy interest-cohort=();
add_header Expect-CT 'enforce; max-age=604800';
more_set_headers 'Server: Proxy';
more_clear_headers 'X-Powered-By';
{% endif %}
{% endif %}
{% endif %}
@DKT69
Copy link

DKT69 commented May 21, 2025

may i ask this compatible with npmplus?

@DKT69
Copy link

DKT69 commented May 21, 2025
edited
Loading

i using on npmplus only get "B", any latest update for this?

Security Headers for NGINX Proxy Manager

Issue: NginxProxyManager/nginx-proxy-manager#582

Due to a bug it's impossible to add securityheaders to NGINX Proxy Manager. Use this workaround to fix this issue:

Step 1. Download _hsts.conf Step 2. Create a volume to this file (read-only)

Docker CLI

Volume location depends on Docker image.

Image: jlesage/nginx-proxy-manager

-v /PROXY-PATH/_hsts.conf:/opt/nginx-proxy-manager/templates/_hsts.conf:ro

Image: jc21/nginx-proxy-manager

-v /PROXY-PATH/_hsts.conf:/app/templates/_hsts.conf:ro

Docker Compose

Volume location depends on Docker image.

Image: jlesage/nginx-proxy-manager

volumes:
    -  /PROXY-PATH/_hsts.conf:/opt/nginx-proxy-manager/templates/_hsts.conf:ro

Image:"jc21/nginx-proxy-manager

volumes:
    -  /PROXY-PATH/_hsts.conf:/app/templates/_hsts.conf:ro

Step 3. Go to NGINX Proxy Manager, click Edit and go to the tab SSL. Enable and/or re-enable Force SSL, HSTS Enabled and HSTS Subdomains. qRU5q9

Done!

Note: If you have enabled an Access List not all headers will load. This is not a bug!

Result @ https://securityheaders.com:

lEqfXZ

Hi, i using on npmplus only get "B" with Cloudflare Proxied, any latest update for this?

image

@R0GGER
Copy link
Author

R0GGER commented May 21, 2025
edited
Loading

I think... I am not using npmplus, but anyway try this:

Add to hsts.conf

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Copy/paste in hsts.conf -> nano /opt/npmplus/hsts.conf

more_clear_headers "Expect-CT";
more_clear_headers "Public-Key-Pins";
more_set_headers "X-XSS-Protection: 0";

more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: SAMEORIGIN"; # or what ever you set using env
more_set_headers "Content-Security-Policy: $content_security_policy"; # if not set by upstream: upgrade-insecure-requests, else upstreams value is used

more_set_headers "Strict-Transport-Security: $hsts_header"; # means: max-age=63072000; includeSubDomains; preload (includeSubDomains not if disabled via env)

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Add to compose.yaml

      - /opt/npmplus/hsts.conf:/usr/local/nginx/conf/conf.d/include/hsts.conf:ro

And restart npmplus....

@DKT69
Copy link

DKT69 commented May 22, 2025

I think... I am not using npmplus, but anyway try this:

Add to hsts.conf

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Copy/paste in hsts.conf -> nano /opt/npmplus/hsts.conf

more_clear_headers "Expect-CT";
more_clear_headers "Public-Key-Pins";
more_set_headers "X-XSS-Protection: 0";

more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: SAMEORIGIN"; # or what ever you set using env
more_set_headers "Content-Security-Policy: $content_security_policy"; # if not set by upstream: upgrade-insecure-requests, else upstreams value is used

more_set_headers "Strict-Transport-Security: $hsts_header"; # means: max-age=63072000; includeSubDomains; preload (includeSubDomains not if disabled via env)

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Add to compose.yaml

      - /opt/npmplus/hsts.conf:/usr/local/nginx/conf/conf.d/include/hsts.conf:ro

And restart npmplus....

i getting error

nginx: [emerg] invalid number of arguments in "add_header" directive in /usr/local/nginx/conf/conf.d/include/hsts.conf:11

@R0GGER
Copy link
Author

R0GGER commented May 22, 2025

Have you tried to change add_header to more_set_headers?

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

more_set_headers "Content-Security-Policy $hdr_content_security_policy";
more_set_headers "Permissions-Policy $hdr_permissions_policy";

@DKT69
Copy link

DKT69 commented May 22, 2025

yes tried. it error too.

nginx: [emerg] unknown "hdr_content_security_policy" variable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment