HSTS (includeSubDomains) with Nginx Proxy Manager

[AngelN-Halo]

Something I discovered today - been driving me nuts... but when using (NPM) with proxy hosts, enabling HSTS (especially with includeSubDomains) via the GUI does not reliably apply the header to proxied responses.

The fix is to manually add the HSTS header inside the location block of the proxy host configuration.

curl -I https://host.example.com shows:
Missing Strict-Transport-Security, or
HSTS present but missing includeSubDomains
NPM GUI shows HSTS / HSTS Sub-domains enabled

Root Cause
For proxied responses (proxy_pass):

add_header directives defined at the server level
are not applied to responses generated inside a location block.

Even when:
always is used
HTTP/2 is enabled
NPM places HSTS headers at the server {} level, which works for:
Default hosts
Static responses
…but fails for proxy hosts.

Correct and Compliant Fix

1. Disable HSTS in the NPM GUI
   For the proxy host:

❌ Disable HSTS
❌ Disable HSTS Sub-domains
✅ Keep Force SSL enabled
This prevents conflicting or ineffective headers.

2. Add HSTS inside the location block
   In Proxy Host config → Advanced, add:
   location / {
   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection $http_connection;
   proxy_http_version 1.1;

   include conf.d/include/proxy.conf;
   }

⚠️ The header must be inside the location block to apply to proxied responses.

3. Retest
   curl -I https://your-host.example.com
   Expected output:
   Strict-Transport-Security: max-age=63072000; includeSubDomains;

This isn't earth shattering but would be nice if the GUI buttons worked in this configuration!