Error starting nginx "add_header"

Debian 10
Hestiacp v1.4.7

After restarting hestiacp I get an error when starting nginx

[email protected]:/# systemctl status nginx
nginx.service - nginx - high performance web server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2021-07-16 09:17:47 -03; 3min 56s ago
Docs: nginx documentation
Process: 2236 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)

Jul 16 09:17:47 fw.melatoninavix.com systemd[1]: Starting nginx - high performance web server…
Jul 16 09:17:47 fw.melatoninavix.com nginx[2236]: nginx: [emerg] “add_header” directive is not allowed here in /etc/nginx/nginx.conf:25
Jul 16 09:17:47 fw.melatoninavix.com systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 16 09:17:47 fw.melatoninavix.com systemd[1]: nginx.service: Failed with result ‘exit-code’.
Jul 16 09:17:47 fw.melatoninavix.com systemd[1]: Failed to start nginx - high performance web server.

Error file
No manual changes were made to the file.

[email protected]:/# cat /etc/nginx/nginx.conf

Server globals

user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

BEGIN Really_Simple_SSL_SECURITY_HEADERS

add_header Strict-Transport-Security: “max-age=31536000” always
add_header Content-Security-Policy: “upgrade-insecure-requests”
add_header X-XSS-Protection: “1; mode=block”
add_header X-Content-Type-Options: “nosniff”
add_header Referrer-Policy: “no-referrer-when-downgrade”

END Really_Simple_SSL_SECURITY_HEADERS

Worker config

events {
worker_connections 1024;
use epoll;
multi_accept on;
}

http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 180s;
client_body_timeout 180s;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 512m;
large_client_header_buffers 4 8k;
send_timeout 60s;
keepalive_timeout 30s;
keepalive_requests 100000;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
charset utf-8;

# FastCGI settings
fastcgi_buffers                 4 256k;
fastcgi_buffer_size             256k;
fastcgi_busy_buffers_size       256k;
fastcgi_temp_file_write_size    256k;
fastcgi_connect_timeout         30s;
fastcgi_read_timeout            300s;
fastcgi_send_timeout            180s;
fastcgi_cache_lock              on;
fastcgi_cache_lock_timeout      5s;
fastcgi_cache_background_update on;
fastcgi_cache_revalidate        on;

# Proxy settings
proxy_redirect                  off;
proxy_set_header                Host $host;
proxy_set_header                X-Real-IP $remote_addr;
proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header               Set-Cookie;
proxy_buffers                   32 4k;
proxy_connect_timeout           30s;
proxy_read_timeout              300s;
proxy_send_timeout              180s;

# Log format
log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                    '"$status" $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
log_format  bytes   '$body_bytes_sent';
log_not_found off;
access_log off;

# Mime settings
include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Compression
gzip                on;
gzip_static         on;
gzip_vary           on;
gzip_comp_level     6;
gzip_min_length     1024;
gzip_buffers        16 8k;
gzip_http_version   1.1;
gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
gzip_proxied        any;
gzip_disable        "MSIE [1-6]\.";

# Cloudflare https://www.cloudflare.com/ips
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
#set_real_ip_from  2400:cb00::/32;
#set_real_ip_from  2405:b500::/32;
#set_real_ip_from  2606:4700::/32;
#set_real_ip_from  2803:f800::/32;
#set_real_ip_from  2c0f:f248::/32;
#set_real_ip_from  2a06:98c0::/29;
real_ip_header     CF-Connecting-IP;

# SSL PCI compliance
ssl_session_cache   shared:SSL:20m;
ssl_session_timeout 60m;
ssl_buffer_size     1400;
ssl_protocols       TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_dhparam         /etc/ssl/dhparam.pem;
ssl_ecdh_curve      secp384r1;
ssl_session_tickets off;
resolver 213.186.33.99  valid=300s ipv6=off;
resolver_timeout    5s;

# Error pages
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 410 /error/410.html;
error_page 500 501 502 503 504 505 /error/50x.html;

# Cache settings
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path  /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;

# FastCGI cache
fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m max_size=1024m inactive=30m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_methods GET HEAD;
fastcgi_cache_use_stale updating error timeout invalid_header http_500 http_503;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
add_header X-FastCGI-Cache $upstream_cache_status;

# Cache bypass
map $http_cookie $no_cache {
    default 0;
    ~SESS 1;
    ~wordpress_logged_in 1;
}

# File cache (static assets)
open_file_cache          max=10000 inactive=30s;
open_file_cache_valid    60s;
open_file_cache_min_uses 2;
open_file_cache_errors   off;

# Wildcard include
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/domains/*.conf;

}

what is the output of nginx -t?

If it complains about line 160 it could be a missing link here: /etc/nginx/conf.d/domains/*.conf

I have no output with the command below

[email protected]:/# nginx -t
bash: nginx: command not found

for a quick solution

the following lines were commented

BEGIN Really_Simple_SSL_SECURITY_HEADERS

add_header Strict-Transport-Security: “max-age = 31536000” sempre
add_header Content-Security-Policy: “upgrade-insecure-requests”
add_header X-XSS-Protection: “1; mode = block ”
add_header X-Content-Type-Options:“ nosniff ”
add_header Referrer-Policy:“ no-referrer-when-downgrade ”

Is there any harm in commenting the lines above?

About the folder with addresses in hestiacp

/etc/nginx/conf.d/domains/*.conf

Checked and contains all active addresses.