diff --git a/tasks/apache2.yml b/tasks/apache2.yml
index 89df7b7..28d3a44 100644
--- a/tasks/apache2.yml
+++ b/tasks/apache2.yml
@@ -8,6 +8,7 @@
     - ssl
     - rewrite
     - env
+    - headers
   notify: restart apache2
 
 - name: apache2 nextcloud vhost
diff --git a/templates/apache-vhost.conf.j2 b/templates/apache-vhost.conf.j2
index 2f64cd2..eef011b 100644
--- a/templates/apache-vhost.conf.j2
+++ b/templates/apache-vhost.conf.j2
@@ -13,6 +13,7 @@
   {% if not certificate_provider == "selfsigned" %}
   SSLCertificateChainFile "/etc/ssl/certs/nextcloud.chain.pem"
   {% endif %}
+  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 
   DocumentRoot {{nextcloud_directory}}