diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index 971f2b3..9d3d300 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -26,8 +26,6 @@ http {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
 
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
     proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
     proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
 
diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx/site/templates/site.conf.j2
index 11836ca..62b390d 100644
--- a/roles/nginx/site/templates/site.conf.j2
+++ b/roles/nginx/site/templates/site.conf.j2
@@ -10,6 +10,8 @@ server {
     listen [::]:443 ssl http2;
     server_name {{ site }};
 
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
 {% if ssl_config is defined %}
 {%   if ssl_config == "old" %}
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;