diff --git a/roles/archweb/templates/nginx.d.conf.j2 b/roles/archweb/templates/nginx.d.conf.j2
index 57c86168513483f5f594db61d3dfcc7de37b95c4..c7b9f8325bc64288a71b5a988c2160d5806fa009 100644
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -198,6 +198,9 @@ server {
         uwsgi_cache_key $cache_key;
         add_header X-Cache-Status $upstream_cache_status;
 
+        # re-add HSTS (inheritance from sslsettings.conf broken by above header)
+        add_header Strict-Transport-Security $hsts_header always;
+
         limit_req zone=archweblimit burst=10 nodelay;
     }
 }