Workaround - Security Headers @ NGINX Proxy Manager

_hsts.conf

{% if certificate and certificate_id > 0 -%}
{% if ssl_forced == 1 or ssl_forced == true %}
{% if hsts_enabled == 1 or hsts_enabled == true %}
  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
  add_header Referrer-Policy strict-origin-when-cross-origin; 
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Frame-Options SAMEORIGIN;
  add_header Content-Security-Policy upgrade-insecure-requests;
  add_header Permissions-Policy interest-cohort=();
  add_header Expect-CT 'enforce; max-age=604800';
  more_set_headers 'Server: Proxy';
  more_clear_headers 'X-Powered-By';
{% endif %}
{% endif %}
{% endif %}

I think... I am not using npmplus, but anyway try this:

Add to hsts.conf

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Copy/paste in hsts.conf -> nano /opt/npmplus/hsts.conf

more_clear_headers "Expect-CT";
more_clear_headers "Public-Key-Pins";
more_set_headers "X-XSS-Protection: 0";

more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: SAMEORIGIN"; # or what ever you set using env
more_set_headers "Content-Security-Policy: $content_security_policy"; # if not set by upstream: upgrade-insecure-requests, else upstreams value is used

more_set_headers "Strict-Transport-Security: $hsts_header"; # means: max-age=63072000; includeSubDomains; preload (includeSubDomains not if disabled via env)

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Add to compose.yaml

      - /opt/npmplus/hsts.conf:/usr/local/nginx/conf/conf.d/include/hsts.conf:ro

And restart npmplus....

I think... I am not using npmplus, but anyway try this:

Add to hsts.conf

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Copy/paste in hsts.conf -> nano /opt/npmplus/hsts.conf

more_clear_headers "Expect-CT";
more_clear_headers "Public-Key-Pins";
more_set_headers "X-XSS-Protection: 0";

more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: SAMEORIGIN"; # or what ever you set using env
more_set_headers "Content-Security-Policy: $content_security_policy"; # if not set by upstream: upgrade-insecure-requests, else upstreams value is used

more_set_headers "Strict-Transport-Security: $hsts_header"; # means: max-age=63072000; includeSubDomains; preload (includeSubDomains not if disabled via env)

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

Add to compose.yaml

      - /opt/npmplus/hsts.conf:/usr/local/nginx/conf/conf.d/include/hsts.conf:ro

And restart npmplus....

---

i getting error

nginx: [emerg] invalid number of arguments in "add_header" directive in /usr/local/nginx/conf/conf.d/include/hsts.conf:11

Have you tried to change add_header to more_set_headers?

add_header Content-Security-Policy $hdr_content_security_policy;
add_header Permissions-Policy $hdr_permissions_policy;

more_set_headers "Content-Security-Policy $hdr_content_security_policy";
more_set_headers "Permissions-Policy $hdr_permissions_policy";

yes tried. it error too.

nginx: [emerg] unknown "hdr_content_security_policy" variable