# Paste into NPM Custom Location advanced config for:
# - /
#
# This is where NPM reliably applies add_header/proxy_set_header directives.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Request-Id $request_id always;

proxy_set_header X-Request-Id $request_id;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_connect_timeout 5s;