diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf
index d50e5c3c..915d45eb 100644
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -36,6 +36,8 @@
 		add_header X-Frame-Options "DENY";
 		add_header X-Content-Type-Options nosniff;
 		add_header Content-Security-Policy "frame-ancestors 'none';";
+	    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+		add_header Referrer-Policy "strict-origin";
 	}
 
 	# Nextcloud configuration.
diff --git a/conf/nginx/security.conf b/conf/nginx/security.conf
deleted file mode 100644
index fb871805..00000000
--- a/conf/nginx/security.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
-add_header X-Frame-Options "SAMEORIGIN";
-add_header X-Content-Type-Options nosniff;
-add_header Content-Security-Policy-Report-Only "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'";
-add_header Referrer-Policy "strict-origin";
diff --git a/management/web_update.py b/management/web_update.py
index 73ec4157..a22f8ed4 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -211,9 +211,14 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 
 	# Add the HSTS header.
 	if hsts == "yes":
-		nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000\" always;\n"
+		nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n"
 	elif hsts == "preload":
 		nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n"
+		
+	nginx_conf_extra += "\tadd_header X-Frame-Options \"SAMEORIGIN\" always;\n"
+	nginx_conf_extra += "\tadd_header X-Content-Type-Options nosniff;\n"
+	nginx_conf_extra += "\tadd_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;frame-ancestors 'self'\";\n"
+	nginx_conf_extra += "\tadd_header Referrer-Policy \"strict-origin\";\n"
 
 	# Add in any user customizations in the includes/ folder.
 	nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
diff --git a/setup/web.sh b/setup/web.sh
index 12133fe2..3a8fc81b 100755
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -156,8 +156,6 @@ if [ ! -f /etc/nginx/conf.d/10-geoblock.conf ]; then
     cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/
 fi
 
-cp -f conf/nginx/security.conf /etc/nginx/sites-enabled/
-
 # touch logfiles that might not exist
 touch /var/log/nginx/geoipblock.log
 chown www-data /var/log/nginx/geoipblock.log