diff --git a/src/Pages/_ViewStart.cshtml b/src/Pages/_ViewStart.cshtml
index c2fe9dd..1292566 100644
--- a/src/Pages/_ViewStart.cshtml
+++ b/src/Pages/_ViewStart.cshtml
@@ -9,6 +9,6 @@
 
     if (Context.Request.IsHttps)
     {
-        Context.Response.Headers["Strict-Transport-Security"] = "max-age=63072000";
+        Context.Response.Headers["Strict-Transport-Security"] = "max-age=63072000; includeSubDomains";
     }
 }
\ No newline at end of file
diff --git a/src/Startup.cs b/src/Startup.cs
index 36ac6b2..402c913 100644
--- a/src/Startup.cs
+++ b/src/Startup.cs
@@ -3,6 +3,7 @@
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Rewrite;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Net.Http.Headers;
@@ -73,6 +74,11 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
                 }
             });
 
+            if (Configuration.GetValue<bool>("forcessl"))
+            {
+                app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
+            }
+
             app.UseMvc(routes =>
             {
                 routes.MapRoute(
diff --git a/src/appsettings.Production.json b/src/appsettings.Production.json
index 457e003..8ece934 100644
--- a/src/appsettings.Production.json
+++ b/src/appsettings.Production.json
@@ -1,4 +1,5 @@
 {
+  "forcessl": false, // Set to true if you run https
   "Logging": {
     "IncludeScopes": false,
     "Debug": {
diff --git a/src/appsettings.json b/src/appsettings.json
index 5d935b4..9dccf1a 100644
--- a/src/appsettings.json
+++ b/src/appsettings.json
@@ -1,4 +1,5 @@
 {
+  "forcessl": false,
   "user": {
     "username": "demo",
     // Generate a new password hash with salt here https://onlinehasher.azurewebsites.net/