diff --git a/Makefile b/Makefile
index 36e1da9b6..4ef0ce82a 100644
--- a/Makefile
+++ b/Makefile
@@ -100,6 +100,7 @@ apache-config: apache-install apache-ssl
 apache-ssl:
 	make-ssl-cert generate-default-snakeoil
 	a2enmod ssl
+	a2enmod headers
 	a2enmod rewrite
 	a2enmod proxy
 	a2enmod proxy_http
diff --git a/share/apache2/plinth.conf b/share/apache2/plinth.conf
index e29a543ca..5edd6eea6 100644
--- a/share/apache2/plinth.conf
+++ b/share/apache2/plinth.conf
@@ -21,6 +21,9 @@
     SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
     SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 
+    ## Use HTTP Strict Transport Security to force client to use secure connections only
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
     ## Shared options.
     ProxyPreserveHost on
     DocumentRoot /usr/share/plinth