diff --git a/production b/production
index 6c5e13e..c1ad7b3 100644
--- a/production
+++ b/production
@@ -6,6 +6,7 @@ srv04 ansible_host=srv04.hamburg.freifunk.net
 
 [certbot]
 srv01
+srv02
 
 [certsync]
 srv03
diff --git a/roles/hopglass-frontend/templates/nginx-site.j2 b/roles/hopglass-frontend/templates/nginx-site.j2
index 491b6e2..f68e632 100644
--- a/roles/hopglass-frontend/templates/nginx-site.j2
+++ b/roles/hopglass-frontend/templates/nginx-site.j2
@@ -7,6 +7,7 @@ server {
     ssl_certificate_key {{ hopglass_frontend_tls_key }};
 
     include snippets/header-hsts.conf;
+    include snippets/header-security.conf;
     include snippets/no-unsafe-files.conf;
 
     root {{ hopglass_frontend_path }}/build;
@@ -19,8 +20,11 @@ server {
     listen [::]:80;
 
 {% if hopglass_frontend_tls_crt is defined %}
-    return 302 https://$host$request_uri;
+    location / {
+        return 302 https://$host$request_uri;
+    }
 {% else %}
+    include snippets/header-security.conf;
     include snippets/no-unsafe-files.conf;
 
     root {{ hopglass_frontend_path }}/build;
diff --git a/roles/nginx/files/snippets/header-hsts.conf b/roles/nginx/files/snippets/header-hsts.conf
index a5e357f..edfdd17 100644
--- a/roles/nginx/files/snippets/header-hsts.conf
+++ b/roles/nginx/files/snippets/header-hsts.conf
@@ -1 +1,2 @@
-add_header Strict-Transport-Security 'max-age=31536000';
+add_header Strict-Transport-Security "max-age=31536000";
+proxy_hide_header Strict-Transport-Security;
diff --git a/roles/nginx/files/snippets/header-security.conf b/roles/nginx/files/snippets/header-security.conf
new file mode 100644
index 0000000..fd0c678
--- /dev/null
+++ b/roles/nginx/files/snippets/header-security.conf
@@ -0,0 +1,8 @@
+add_header Referrer-Policy same-origin;
+add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options sameorigin;
+add_header X-XSS-Protection "1; mode=block";
+proxy_hide_header Referrer-Policy;
+proxy_hide_header X-Content-Type-Options;
+proxy_hide_header X-Frame-Options;
+proxy_hide_header X-XSS-Protection;
diff --git a/roles/website/media/templates/site.j2 b/roles/website/media/templates/site.j2
index 3e24907..60621eb 100644
--- a/roles/website/media/templates/site.j2
+++ b/roles/website/media/templates/site.j2
@@ -6,10 +6,12 @@ server {
     ssl_certificate {{ media_tls_crt }};
     ssl_certificate_key {{ media_tls_key }};
 
-    root {{ media_root }};
     include snippets/autoindex.conf;
     include snippets/header-hsts.conf;
+    include snippets/header-security.conf;
     include snippets/no-unsafe-files.conf;
+
+    root {{ media_root }};
 }
 
 {% endif %}
@@ -18,7 +20,9 @@ server {
     listen 80;
     listen [::]:80;
 
-    return 302 https://$server_name$request_uri;
+    location / {
+        return 302 https://$server_name$request_uri;
+    }
 
     include snippets/location-acme.conf;
 }
diff --git a/roles/website/meta/templates/site.j2 b/roles/website/meta/templates/site.j2
index b5419d2..aae4ccf 100644
--- a/roles/website/meta/templates/site.j2
+++ b/roles/website/meta/templates/site.j2
@@ -6,11 +6,13 @@ server {
     ssl_certificate {{ meta_tls_crt }};
     ssl_certificate_key {{ meta_tls_key }};
 
-    root {{ meta_root }};
     include snippets/autoindex.conf;
     include snippets/header-hsts.conf;
+    include snippets/header-security.conf;
     include snippets/no-unsafe-files.conf;
 
+    root {{ meta_root }};
+
     location ~ \.php$ {
         fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_param SCRIPT_FILENAME /var/www/meta$fastcgi_script_name;
@@ -24,7 +26,9 @@ server {
     listen 80;
     listen [::]:80;
 
-    return 302 https://$server_name$request_uri;
+    location / {
+        return 302 https://$server_name$request_uri;
+    }
 
     include snippets/location-acme.conf;
 }
diff --git a/roles/website/updates/templates/site.j2 b/roles/website/updates/templates/site.j2
index e0733e3..9ebc035 100644
--- a/roles/website/updates/templates/site.j2
+++ b/roles/website/updates/templates/site.j2
@@ -6,9 +6,12 @@ server {
     ssl_certificate {{ updates_tls_crt }};
     ssl_certificate_key {{ updates_tls_key }};
 
-    root {{ updates_root }};
     include snippets/autoindex.conf;
     include snippets/header-hsts.conf;
+    include snippets/header-security.conf;
+    include snippets/no-unsafe-files.conf;
+
+    root {{ updates_root }};
 }
 
 {% endif %}
@@ -18,8 +21,11 @@ server {
     listen 80;
     listen [::]:80;
 
-    root {{ updates_root }};
     include snippets/autoindex.conf;
+    include snippets/header-security.conf;
+    include snippets/no-unsafe-files.conf;
+
+    root {{ updates_root }};
 
 {% if updates_letsencrypt == 'local' %}
     include snippets/location-acme.conf;
@@ -33,6 +39,9 @@ server {
     listen 80;
     listen [::]:80;
 
-    root {{ updates_root }};
     include snippets/autoindex.conf;
+    include snippets/header-security.conf;
+    include snippets/no-unsafe-files.conf;
+
+    root {{ updates_root }};
 }