diff --git a/nginx/mailcow.conf b/nginx/mailcow.conf
index 2854710..604a277 100644
--- a/nginx/mailcow.conf
+++ b/nginx/mailcow.conf
@@ -37,11 +37,12 @@ server {
         resolver 1.1.1.1:53 1.0.0.1:53 '[2606:4700:4700::1111]:53' '[2606:4700:4700::1001]:53' valid=300s;
         resolver_timeout 30s;
 
+        add_header Strict-Transport-Security "max-age=63072000";
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-XSS-Protection "1; mode=block" always;
         add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin";
-        add_header Content-Security-Policy "upgrade-insecure-requests; default-src https:" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Content-Security-Policy "upgrade-insecure-requests" always;
         add_header Feature-policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'" always;       
 
         location ^~ /.well-known/acme-challenge/ {