diff --git a/etc/nginx/conf.d/default-quic.conf b/etc/nginx/conf.d/default-quic.conf
index 8204c03..132ddd3 100644
--- a/etc/nginx/conf.d/default-quic.conf
+++ b/etc/nginx/conf.d/default-quic.conf
@@ -6,7 +6,6 @@ server {
 
     server_name hostname.of.your.server;
 
-    include snippets/hsts.conf;
     include snippets/quic.conf;
     include snippets/robots.conf;
     include snippets/universal_paths.conf;
diff --git a/etc/nginx/conf.d/sites_miniflux.conf b/etc/nginx/conf.d/sites_miniflux.conf
index 285580d..d3e4b28 100644
--- a/etc/nginx/conf.d/sites_miniflux.conf
+++ b/etc/nginx/conf.d/sites_miniflux.conf
@@ -10,7 +10,6 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/cross-origin-security.conf;
     include snippets/quic.conf;
diff --git a/etc/nginx/conf.d/sites_nextcloud.conf b/etc/nginx/conf.d/sites_nextcloud.conf
index 7256189..e447aad 100644
--- a/etc/nginx/conf.d/sites_nextcloud.conf
+++ b/etc/nginx/conf.d/sites_nextcloud.conf
@@ -10,7 +10,6 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/cloud.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/quic.conf;
     include snippets/proxy.conf;
diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf
index 741cb11..7b68172 100644
--- a/etc/nginx/conf.d/sites_uptime-kuma.conf
+++ b/etc/nginx/conf.d/sites_uptime-kuma.conf
@@ -10,7 +10,6 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/cross-origin-security.conf;
     include snippets/quic.conf;
diff --git a/etc/nginx/conf.d/sites_vaultwarden.conf b/etc/nginx/conf.d/sites_vaultwarden.conf
index cd7b078..c734b8b 100644
--- a/etc/nginx/conf.d/sites_vaultwarden.conf
+++ b/etc/nginx/conf.d/sites_vaultwarden.conf
@@ -10,7 +10,6 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/vault.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/vault.yourdomain.tld/chain.pem;
 
-    include snippets/hsts.conf;
     include snippets/security.conf;
     include snippets/cross-origin-security.conf;
     include snippets/quic.conf;
diff --git a/etc/nginx/snippets/hsts.conf b/etc/nginx/snippets/hsts.conf
deleted file mode 100644
index 42edd6f..0000000
--- a/etc/nginx/snippets/hsts.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# Enable HSTS header
-# Only add this to server blocks with TLS
-proxy_hide_header Strict-Transport-Security;
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
\ No newline at end of file
diff --git a/etc/nginx/snippets/security.conf b/etc/nginx/snippets/security.conf
index 6458c27..219a118 100644
--- a/etc/nginx/snippets/security.conf
+++ b/etc/nginx/snippets/security.conf
@@ -1,9 +1,16 @@
 # Global security headers - apply everywhere
 
+proxy_hide_header Strict-Transport-Security;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
 # We do not set clipboard-write() here, because it is very commonly used
 proxy_hide_header Strict-Transport-Security;
 add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-create=self, publickey-credentials-get=self, screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
 
+# Access-Control-Max-Age
+proxy_hide_header Access-Control-Max-Age;
+add_header Access-Control-Max-Age "600";
+
 proxy_hide_header Permissions-Policy;
 add_header Referrer-Policy "same-origin" always;
 
@@ -13,10 +20,6 @@ add_header X-Content-Type-Options "nosniff" always;
 proxy_hide_header X-Permitted-Cross-Domain-Policies;
 add_header X-Permitted-Cross-Domain-Policies "none" always;
 
-# Access-Control-Max-Age
-proxy_hide_header Access-Control-Max-Age;
-add_header Access-Control-Max-Age "600";
-
 # Obsolete and replaced by Content-Security-Policy frame-ancestors
 # Setting the less restrictive SAMEORIGIN here, as frame-ancestors 'none' will overwrite it anyways
 proxy_hide_header X-Frame-Options;