diff --git a/config/config.go b/config/config.go
index 05b5d3b5cb6310849bd7f7177ad5d949a88ebf7c..9bd673e73d2e6321b948ae5449d0a25f4f6e08f0 100644
--- a/config/config.go
+++ b/config/config.go
@@ -167,6 +167,11 @@ func (c *Config) OAuth2Provider() string {
 	return c.get("OAUTH2_PROVIDER", "")
 }
 
+// HasHSTS returns true if HTTP Strict Transport Security is enabled.
+func (c *Config) HasHSTS() bool {
+	return c.get("DISABLE_HSTS", "") == ""
+}
+
 // NewConfig returns a new Config.
 func NewConfig() *Config {
 	return &Config{IsHTTPS: os.Getenv("HTTPS") != ""}
diff --git a/config/config_test.go b/config/config_test.go
index fbc7175ebc6ee2302df99f1957a6688247643b79..2cfec81a6a3044ae8ae3312c697b236f7e99d11f 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -80,3 +80,22 @@ func TestDefaultBaseURL(t *testing.T) {
 		t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath())
 	}
 }
+
+func TestHSTSOn(t *testing.T) {
+	os.Clearenv()
+	cfg := NewConfig()
+
+	if !cfg.HasHSTS() {
+		t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
+	}
+}
+
+func TestHSTSOff(t *testing.T) {
+	os.Clearenv()
+	os.Setenv("DISABLE_HSTS", "1")
+	cfg := NewConfig()
+
+	if cfg.HasHSTS() {
+		t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
+	}
+}
diff --git a/http/handler/handler.go b/http/handler/handler.go
index 882e0bd2fb71572dca0c5594e615e914dbd0f53d..d698b2eb05971fd301afcc0302d650e02e92ce98 100644
--- a/http/handler/handler.go
+++ b/http/handler/handler.go
@@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler {
 
 		ctx := NewContext(r, h.store, h.router, h.translator)
 		request := NewRequest(r)
-		response := NewResponse(w, r, h.template)
+		response := NewResponse(h.cfg, w, r, h.template)
 		language := ctx.UserLanguage()
 
 		if language != "" {
diff --git a/http/handler/response.go b/http/handler/response.go
index 34980a3633558cd6e5bf3197574a2f53021ae25a..4e4c44adf8f3f2365eddb69af36b3649e300d271 100644
--- a/http/handler/response.go
+++ b/http/handler/response.go
@@ -8,11 +8,13 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/miniflux/miniflux/config"
 	"github.com/miniflux/miniflux/template"
 )
 
 // Response handles HTTP responses.
 type Response struct {
+	cfg      *config.Config
 	writer   http.ResponseWriter
 	request  *http.Request
 	template *template.Engine
@@ -74,9 +76,13 @@ func (r *Response) commonHeaders() {
 	// Even if the directive "frame-src" has been deprecated in Firefox,
 	// we keep it to stay compatible with other browsers.
 	r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
+
+	if r.cfg.IsHTTPS && r.cfg.HasHSTS() {
+		r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
+	}
 }
 
 // NewResponse returns a new Response.
-func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
-	return &Response{writer: w, request: r, template: template}
+func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
+	return &Response{cfg: cfg, writer: w, request: r, template: template}
 }