diff --git a/app.js b/app.js
index d3dd319..afeef07 100644
--- a/app.js
+++ b/app.js
@@ -6,6 +6,7 @@ const cors = require('cors');
 const config = require('./config');
 const db = require('./config/db');
 const path = require('path');
+const hsts = require('hsts');
 
 require('./models/TodoList');
 require('./models/User');
@@ -19,6 +20,15 @@ process.env.NODE_ENV === 'production'
   ? app.use(morgan('combined'))
   : app.use(morgan('dev'));
 
+if (process.env.NODE_ENV === 'production' && process.env.HSTS === true) {
+  app.use(
+    hsts({
+      maxAge: 31536000,
+      includeSubDomains: true,
+    }),
+  );
+}
+
 const passport = require('./config/passport');
 
 app.use(passport.initialize());
diff --git a/package-lock.json b/package-lock.json
index 2b592a9..0044811 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3856,6 +3856,11 @@
       "integrity": "sha512-lIbgIIQA3lz5XaB6vxakj6sDHADJiZadYEJB+FgA+C4nubM1NwcuvUr9EJPmnH1skZqpqUzWborWo8EIUi0Sdw==",
       "dev": true
     },
+    "hsts": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/hsts/-/hsts-2.1.0.tgz",
+      "integrity": "sha512-zXhh/DqgrTXJ7erTN6Fh5k/xjMhDGXCqdYN3wvxUvGUQvnxcFfUd8E+6vLg/nk3ss1TYMb+DhRl25fYABioTvA=="
+    },
     "html-encoding-sniffer": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-1.0.2.tgz",
diff --git a/package.json b/package.json
index 939d22c..43abbbf 100644
--- a/package.json
+++ b/package.json
@@ -21,6 +21,7 @@
     "dotenv": "^5.0.1",
     "express": "^4.16.3",
     "express-jwt": "^5.3.1",
+    "hsts": "^2.1.0",
     "jsonwebtoken": "^8.2.1",
     "mongoose": "^5.1.1",
     "mongoose-unique-validator": "^2.0.1",