diff --git a/Dockerfile b/Dockerfile
index 8228c3b7..f32d493d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -45,7 +45,7 @@ RUN apk add --no-cache ca-certificates git build-base && \
     sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
     sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
-FROM zoeyvid/certbot-docker:12 as certbot
+FROM zoeyvid/certbot-docker:13 as certbot
 
 FROM zoeyvid/nginx-quic:211
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
@@ -56,38 +56,14 @@ RUN apk add --no-cache ca-certificates tzdata tini \
     openssl apache2-utils \
     coreutils grep jq curl shadow sudo \
     luarocks5.1 wget lua5.1-dev build-base git yarn && \
-    wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
+    wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
     wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \
-    sed -i "s|SecRuleEngine .*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
-    echo "Include /data/etc/modsecurity/modsecurity.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
-    cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
-    echo "Include /data/etc/modsecurity/crs-setup.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
-    echo "Include /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
-    echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-config.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
-    echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-before.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
-    echo "Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
-    echo "#Include /usr/local/nginx/conf/conf.d/include/coreruleset/plugins/*-after.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
+    sed -i "s|SecRuleEngine.*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
+    sed -i "s|unicode.mapping|/usr/local/nginx/conf/conf.d/include/unicode.mapping|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
     git clone https://github.com/coreruleset/coreruleset /tmp/coreruleset && \
     mkdir /usr/local/nginx/conf/conf.d/include/coreruleset && \
-    cp /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
-    sed -i '/#/!d' /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
-    mv /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf && \
+    mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
     mv /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
-    #git clone --recursive https://github.com/coreruleset/phpmyadmin-rule-exclusions-plugin /tmp/phpmyadmin-rule-exclusions-plugin && \
-    #git clone --recursive https://github.com/coreruleset/nextcloud-rule-exclusions-plugin /tmp/nextcloud-rule-exclusions-plugin && \
-    #git clone --recursive https://github.com/coreruleset/wordpress-rule-exclusions-plugin /tmp/wordpress-rule-exclusions-plugin && \
-    #git clone --recursive https://github.com/coreruleset/cpanel-rule-exclusions-plugin /tmp/cpanel-rule-exclusions-plugin && \
-    #git clone --recursive https://github.com/coreruleset/body-decompress-plugin /tmp/body-decompress-plugin && \
-    #git clone --recursive https://github.com/coreruleset/auto-decoding-plugin /tmp/auto-decoding-plugin && \
-    #git clone --recursive https://github.com/coreruleset/google-oauth2-plugin /tmp/google-oauth2-plugin && \
-    mv /tmp/coreruleset/plugins /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
-    #mv /tmp/phpmyadmin-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
-    #mv /tmp/nextcloud-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
-    #mv /tmp/wordpress-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
-    #mv /tmp/cpanel-rule-exclusions-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
-    #mv /tmp/body-decompress-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
-    #mv /tmp/auto-decoding-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
-    #mv /tmp/google-oauth2-plugin/plugins/* /usr/local/nginx/conf/conf.d/include/coreruleset/plugins && \
     rm -r /tmp/* && \
     luarocks-5.1 install lua-resty-http && \
     luarocks-5.1 install lua-cjson && \
diff --git a/README.md b/README.md
index 79f95fc0..5aad684c 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,8 @@ running at home or otherwise, including free TLS, without having to know too muc
 **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>
 **Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).** <br>
+**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity/modsecurity-default.conf` and `/opt/npm/etc/modsecurity/crs-setup.conf`.** <br>
+**Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.** <br>
 
 
 ## Project Goal
@@ -46,7 +48,7 @@ so that the barrier for entry here is low.
 - Supports HTTP/3 (QUIC) protocol.
 - Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it.
 - Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npm/etc/modsecurity` folder.
-  - If the core ruleset blocks valid requests, please check the `/data/etc/modsecurity/crs-setup.conf` file.
+  - If the core ruleset blocks valid requests, please check the `/opt/npm/etc/modsecurity/crs-setup.conf` file.
   - Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH).
   - Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM).
   - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.
@@ -95,17 +97,15 @@ so that the barrier for entry here is low.
 - since this fork has dependency on `network_mode: host`, please don't forget to open port 80 and 443 (and maybe 81) in your firewall
 
 # Crowdsec
-1. Install crowdsec: https://doc.crowdsec.net/docs/getting_started/install_crowdsec
+1. Install crowdsec using this compose file: https://github.com/ZoeyVid/NPMplus/blob/develop/compose.crowdsec.yaml
 2. make sure to use `network_mode: host` in your compose file
-3. run `cscli bouncers add npm -o raw` and save the output
-4. run `cscli config show --key "Config.API.Client.Credentials.URL"` and save the output
-5. open `/data/etc/crowdsec/crowdsec.conf`
-6. set `ENABLED` to `true`
-7. use the output of step 4 as `API_KEY`
-8. use the output of step 5 as `API_URL` - But remove the `/` at the end (correct: `http://127.0.0.1:8080` - incorrect: `http://127.0.0.1:8080/`)
-9. make your changes
-10. save the file
-11. restart the npm
+3. run `docker exec crowdsec cscli bouncers add npmplus -o raw` and save the output
+4. open `/data/etc/crowdsec/crowdsec.conf`
+5. set `ENABLED` to `true`
+6. use the output of step 4 as `API_KEY`
+7. make sure `API_URL` is set to `http://127.0.0.1:8080`
+9. save the file
+10. restart the npm
 
 # Use as webserver
 
@@ -153,43 +153,7 @@ location / {
 - [Docker Install documentation](https://docs.docker.com/engine)
 - [Docker Compose Install documentation](https://docs.docker.com/compose/install/linux)
 
-2. Create a compose.yaml file similar to this (or use it as a portainer stack):
-
-```yml
-version: "3"
-services:
-  npmplus:
-    container_name: npmplus
-    image: zoeyvid/npmplus
-    restart: always
-    network_mode: host
-    volumes:
-      - "/opt/npm:/data"
-#      - "/var/www:/var/www" # optional, if you want to use it as webserver for html/php
-#      - "/opt/npm-letsencrypt:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
-    environment:
-      - "TZ=Europe/Berlin" # set timezone, required
-#      - "PUID=1000" # set group id, default 0 (root)
-#      - "PGID=1000" # set user id, default 0 (root)
-#      - "NIBEP=48694" # internal port, always bound to 127.0.0.1, default 48693, you need to change it, if you want to run multiple npm instances in network mode host
-#      - "NPM_PORT=82" # Port the NPM backend should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
-#      - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
-#      - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM backend, defaults to all
-#      - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
-#      - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM backend, defaults to all
-#      - "DISABLE_IPV6=true" # disable IPv6, overrides with IPV6_BINDING, default false
-#      - "NPM_DISABLE_IPV6=true" # disable IPv6 for the NPM backend, overrides with NPM_IPV6_BINDING, default false, overrides NPM_LISTEN_LOCALHOST
-#      - "NPM_LISTEN_LOCALHOST=true" # Bind the NPM Dashboard on Port 81 only to localhost, overrides with NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
-#      - "NPM_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
-#      - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
-#      - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
-#      - "CLEAN=false" # Clean folders, default true
-#      - "FULLCLEAN=true" # Clean unused config folders, default false
-#      - "PHP81=true" # Activate PHP81, default false
-#      - "PHP81_APKS=php81-curl php-81-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php81-*, default none
-#      - "PHP82=true" # Activate PHP82, default false
-#      - "PHP82_APKS=php82-curl php-82-curl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18&repo=community&arch=x86_64&name=php82-*, default none
-```
+2. Create a compose.yaml file similar to [this](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml) (or use it as a portainer stack):´
 
 3. Bring up your stack by running (or deploy your portainer stack)
 ```bash
diff --git a/backend/package.json b/backend/package.json
index d11e690c..f6943fa7 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -12,11 +12,11 @@
     "body-parser": "1.20.2",
     "compression": "1.7.4",
     "express": "4.18.2",
-    "express-fileupload": "1.4.1",
+    "express-fileupload": "1.4.2",
     "gravatar": "1.8.2",
     "jsonwebtoken": "9.0.2",
     "knex": "3.0.1",
-    "liquidjs": "10.9.3",
+    "liquidjs": "10.9.4",
     "lodash": "4.17.21",
     "moment": "2.29.4",
     "mysql": "2.18.1",
@@ -29,7 +29,7 @@
   "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
   "license": "MIT",
   "devDependencies": {
-    "eslint": "8.52.0",
+    "eslint": "8.53.0",
     "eslint-plugin-align-assignments": "1.1.2"
   }
 }
diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf
index a794e638..c0a743ed 100644
--- a/backend/templates/_hsts.conf
+++ b/backend/templates/_hsts.conf
@@ -10,10 +10,8 @@
 {% unless certificate and certificate_id > 0 -%}
 {% unless ssl_forced == 1 or ssl_forced == true %}
 {% unless hsts_enabled == 1 or hsts_enabled == true %}
-  more_clear_headers "Content-Security-Policy";
-  
   more_clear_headers "Expect-CT";
   more_clear_headers "Strict-Transport-Security";
 {% endunless  %}
 {% endunless  %}
-{% endunless  %}
\ No newline at end of file
+{% endunless  %}
diff --git a/compose.crowdsec.yaml b/compose.crowdsec.yaml
new file mode 100644
index 00000000..52c9a6ba
--- /dev/null
+++ b/compose.crowdsec.yaml
@@ -0,0 +1,13 @@
+services:
+  crowdsec:
+    container_name: crowdsec
+    image: crowdsecurity/crowdsec
+    restart: always
+    network_mode: bridge
+    ports:
+      - "127.0.0.1:8080:8080"
+    environment:
+      - "TZ=Europe/Berlin"
+    volumes:
+      - "/opt/crowdsec/conf:/etc/crowdsec"
+      - "/opt/crowdsec/data:/var/lib/crowdsec/data"
diff --git a/frontend/package.json b/frontend/package.json
index 94ea1c69..5538a527 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -4,7 +4,7 @@
   "description": "A beautiful interface for creating Nginx endpoints",
   "main": "js/index.js",
   "dependencies": {
-    "@babel/core": "7.23.2",
+    "@babel/core": "7.23.3",
     "babel-core": "6.26.3",
     "babel-loader": "8.3.0",
     "babel-preset-env": "1.7.0",
diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh
index d8f089c5..9bd41dea 100755
--- a/rootfs/bin/start.sh
+++ b/rootfs/bin/start.sh
@@ -359,7 +359,6 @@ find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling/d" {} \;
 find /data/nginx -type f -name '*.conf' -exec sed -i "/ssl_stapling_verify/d" {} \;
 
 touch /data/etc/html/index.html \
-      /data/etc/modsecurity/modsecurity.conf \
       /data/nginx/default.conf \
       /data/nginx/ip_ranges.conf \
       /data/nginx/custom/root.conf \
@@ -372,9 +371,21 @@ touch /data/etc/html/index.html \
       /data/nginx/custom/stream.conf \
       /data/nginx/custom/server_stream.conf \
       /data/nginx/custom/server_stream_tcp.conf \
-      /data/nginx/custom/server_stream_udp.conf
+      /data/nginx/custom/server_stream_udp.conf \
+      /data/etc/modsecurity/modsecurity-extra.conf
 
-cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf
+if [ ! -f /data/etc/modsecurity/modsecurity-default.conf ]; then
+      cp -vn /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf
+fi
+cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example /data/etc/modsecurity/modsecurity-default.conf.example
+
+if [ ! -f /data/etc/modsecurity/modsecurity.conf ]; then
+      mv -v /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/modsecurity-extra.conf
+fi
+
+if [ ! -f /data/etc/modsecurity/crs-setup.conf ]; then
+      cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf
+fi
 cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
 
 if [ "$NPM_CERT_ID" = "0" ]; then
@@ -499,20 +510,20 @@ sed -i "s|48693|$NIBEP|g" /usr/local/nginx/conf/conf.d/npm.conf
 sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\({{ incoming_port }}\)/listen $IPV4_BINDING:\2/g" /app/templates/stream.conf
 sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
 find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
-find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
+find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
 find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+:\)\?\([0-9]\+\)/listen $IPV4_BINDING:\2/g" {} \;
 
 if [ "$DISABLE_IPV6" = "true" ]; then
     sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/#listen \[\1\]:\2/g" /app/templates/stream.conf
     sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
     find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
-    find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
+    find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
     find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/#listen \[\1\]:\2/g" {} \;
 else
     sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\({{ incoming_port }}\)/listen $IPV6_BINDING:\2/g" /app/templates/stream.conf
     sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" /usr/local/nginx/conf/conf.d/no-server-name.conf
     find /data/nginx -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
-    find /app/templates -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
+    find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
     find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s/#\?listen \[\([0-9a-f:]\+\)\]:\([0-9]\+\)/listen $IPV6_BINDING:\2/g" {} \;
 fi
 
@@ -529,11 +540,11 @@ fi
 
 if [ "$DISABLE_HTTP" = "true" ]; then
     find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
-    find /app/templates -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
+    find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
     find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|#\1|g" {} \;
 else
     find /data/nginx -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
-    find /app/templates -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
+    find /app/templates -type f -name '*.conf' -not -path "/app/templates/stream.conf" -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
     find /usr/local/nginx/conf/conf.d -type f -name '*.conf' -exec sed -i "s|#\?\(listen.*80\)|\1|g" {} \;
 fi
 
@@ -548,22 +559,25 @@ fi
 if [ ! -f /data/tls/certbot/config.ini ]; then
     cp -vn /etc/tls/certbot.ini /data/tls/certbot/config.ini
 fi
+cp /etc/tls/certbot.ini /data/tls/certbot/config.ini.example
 
 if [ ! -f /data/etc/crowdsec/ban.html ]; then
     cp -vn /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html
 fi
+cp /usr/local/nginx/conf/conf.d/include/ban.html /data/etc/crowdsec/ban.html.example
 
 if [ ! -f /data/etc/crowdsec/captcha.html ]; then
     cp -vn /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html
 fi
+cp /usr/local/nginx/conf/conf.d/include/captcha.html /data/etc/crowdsec/captcha.html.example
 
 if [ ! -f /data/etc/crowdsec/crowdsec.conf ]; then
     cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf
-else
-    sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf
 fi
+cp /usr/local/nginx/conf/conf.d/include/crowdsec.conf /data/etc/crowdsec/crowdsec.conf.example
+sed -i "s|crowdsec.conf|captcha.html|g" /data/etc/crowdsec/crowdsec.conf
 
-if grep -iq "^ENABLED[ ]\+\?=[ ]\+\?true$" /data/etc/crowdsec/crowdsec.conf; then
+if grep -iq "^ENABLED[ ]*=[ ]*true$" /data/etc/crowdsec/crowdsec.conf; then
     cp -vn /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/crowdsec.conf
 else
     rm -vf /usr/local/nginx/conf/conf.d/crowdsec.conf
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
index 11de7076..6149d805 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf
@@ -2,6 +2,6 @@ more_set_headers "X-XSS-Protection: 0";
 more_set_headers "X-Frame-Options: SAMEORIGIN";
 more_set_headers "X-Content-Type-Options: nosniff";
 more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
-more_set_headers "Content-Security-Policy: upgrade-insecure-requests";
+more_set_headers "Content-Security-Policy: $content_security_policy";
 
-more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
\ No newline at end of file
+more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
new file mode 100644
index 00000000..257c7b40
--- /dev/null
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
@@ -0,0 +1,4 @@
+Include /data/etc/modsecurity/modsecurity-default.conf
+Include /data/etc/modsecurity/modsecurity-extra.conf
+Include /data/etc/modsecurity/crs-setup.conf
+Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity.conf b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity.conf
new file mode 100644
index 00000000..e67510fe
--- /dev/null
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity.conf
@@ -0,0 +1,2 @@
+Include /data/etc/modsecurity/modsecurity-default.conf
+Include /data/etc/modsecurity/modsecurity-extra.conf
diff --git a/rootfs/usr/local/nginx/conf/nginx.conf b/rootfs/usr/local/nginx/conf/nginx.conf
index 463d0810..e3a180b0 100644
--- a/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/rootfs/usr/local/nginx/conf/nginx.conf
@@ -62,9 +62,9 @@ http {
     limit_req_zone $binary_remote_addr zone=one:10m rate=180r/s;
     limit_req zone=one burst=1800;
 
-    # Default upstream scheme
-    map $host $forward_scheme {
-        default http;
+    map $upstream_http_content_security_policy $content_security_policy {
+        default $upstream_http_content_security_policy;
+        '' "upgrade-insecure-requests";
     }
 
     # Websocket