diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp
index 94a7710..98c96cb 100644
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@@ -186,7 +186,7 @@ class apache::debian::sslserver inherits apache::debian::common {
 }
 
 
-define apache::debian::sslsite($first, $ipaddr, $root,
+define apache::debian::sslsite($first, $hsts, $ipaddr, $root,
                                $ssl_cert, $ssl_key, $ssl_chain) {
 
     if $name == "default" {
diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp
index 36ff8e8..7944ca8 100644
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@@ -266,6 +266,9 @@ class apache::sslserver::listen {
 #   $first:
 #       Bool for whether this is the first (default) vhost
 #       when using NameVirtualHost. Defaults to false.
+#   $hsts:
+#       Bool for whether to enable HTTP Strict Transport Security for this
+#       virtual host. Defaults to false.
 #   $ipaddr:
 #       IP address of virtual host. Defaults to _default_.
 #   $root:
@@ -285,15 +288,21 @@ class apache::sslserver::listen {
 #     ssl_key  => "puppet:///path/to/www.example.com.key",
 # }
 #
-define apache::sslsite($first=false, $ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
+define apache::sslsite($first=false, $hsts=false, $ipaddr="_default_", $root="",
+                       $ssl_cert="", $ssl_key="", $ssl_chain="") {
 
     include apache::sslserver::listen
 
+    if $hsts == true {
+        include apache::mod::headers
+    }
+
     case $::operatingsystem {
         "debian","ubuntu": {
             $apache_ssldir = "/etc/ssl"
             apache::debian::sslsite { $name:
                 first     => $first,
+                hsts      => $hsts,
                 ipaddr    => $ipaddr,
                 root      => $root,
                 ssl_cert  => $ssl_cert,
@@ -306,6 +315,7 @@ define apache::sslsite($first=false, $ipaddr="_default_", $root="", $ssl_cert=""
             $apache_ssldir = "/etc/pki/tls"
             apache::redhat::sslsite { $name:
                 first     => $first,
+                hsts      => $hsts,
                 ipaddr    => $ipaddr,
                 root      => $root,
                 ssl_cert  => $ssl_cert,
diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp
index 2aefc68..f72ce64 100644
--- a/apache/manifests/redhat.pp
+++ b/apache/manifests/redhat.pp
@@ -225,7 +225,7 @@ class apache::redhat::sslserver {
 }
 
 
-define apache::redhat::sslsite($first, $ipaddr, $root,
+define apache::redhat::sslsite($first, $hsts, $ipaddr, $root,
                                $ssl_cert, $ssl_key, $ssl_chain) {
 
     if $name == "default" {
diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb
index d8b8989..4545bf6 100644
--- a/apache/templates/site.https.conf.erb
+++ b/apache/templates/site.https.conf.erb
@@ -148,6 +148,13 @@ BrowserMatch "MSIE [2-5]" \
 #   compact non-error SSL logfile on a virtual host basis.
 #CustomLog logs/ssl_request_log \
 #          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+<% if @hsts == true -%>
+
+# Enable HTTP Strict Transport Security
+<IfModule mod_headers.c>
+    Header always set Strict-Transport-Security "max-age=15768000"
+</IfModule>
+<% end -%>
 
 Include <%= @site_confdir %>/*.conf