diff --git a/configuration/default.nix b/configuration/default.nix
index 683b144..8600070 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -63,7 +63,10 @@
         lib.recursiveUpdate {
           forceSSL = true;
           enableACME = true;
-          locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
+          locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+          extraConfig = ''
+            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+          '';
         } extra;
       domain = config.services.nginx.domain;
     in {