diff --git a/conf/mta-sts.txt b/conf/mta-sts.txt
index 376102bc..26acc015 100644
--- a/conf/mta-sts.txt
+++ b/conf/mta-sts.txt
@@ -1,4 +1,4 @@
 version: STSv1
 mode: MODE
 mx: PRIMARY_HOSTNAME
-max_age: 86400
\ No newline at end of file
+max_age: 604800
diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf
index 93e27561..d7a616fe 100644
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -31,20 +31,20 @@
 	rewrite ^(/cloud/oc[sm]-provider)/$ $1/index.php redirect;
 	location /cloud/ {
 		alias /usr/local/lib/owncloud/;
-	 	location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
-	 		deny all;
-	 	}
-	 	location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
-	 		deny all;
-	 	}
+		location ~ ^/cloud/(build|tests|config|lib|3rdparty|templates|data|README)/ {
+			deny all;
+		}
+		location ~ ^/cloud/(?:\.|autotest|occ|issue|indie|db_|console) {
+			deny all;
+		}
 		# Enable paths for service and cloud federation discovery
 		# Resolves warning in Nextcloud Settings panel
-                location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ {
-                        index index.php;
-                        include fastcgi_params;
-                        fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2;
-                        fastcgi_pass php-fpm;
-                }
+		location ~ ^/cloud/(oc[sm]-provider)?/([^/]+\.php)$ {
+			index index.php;
+			include fastcgi_params;
+			fastcgi_param SCRIPT_FILENAME /usr/local/lib/owncloud/$1/$2;
+			fastcgi_pass php-fpm;
+		}
 	}
 	location ~ ^(/cloud)((?:/ocs)?/[^/]+\.php)(/.*)?$ {
 		# note: ~ has precendence over a regular location block
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 1b1e9f83..3e1b5856 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -216,12 +216,12 @@ def get_certificates_to_provision(env, limit_domains=None, show_valid_certs=True
 				response = query_dns(domain, rtype)
 				if response != normalize_ip(value):
 					bad_dns.append("%s (%s)" % (response, rtype))
-	
+
 			if bad_dns:
 				domains_cant_provision[domain] = "The domain name does not resolve to this machine: " \
 					+ (", ".join(bad_dns)) \
 					+ "."
-			
+
 			else:
 				# DNS is all good.
 
@@ -606,10 +606,10 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring
 		ndays = (cert_expiration_date-now).days
 		if not rounded_time or ndays <= 10:
 			# Yikes better renew soon!
-			expiry_info = "The certificate expires in %d days on %s." % (ndays, cert_expiration_date.strftime("%x"))
+			expiry_info = "The certificate expires in %d days on %s." % (ndays, cert_expiration_date.date().isoformat())
 		else:
 			# We'll renew it with Lets Encrypt.
-			expiry_info = "The certificate expires on %s." % cert_expiration_date.strftime("%x")
+			expiry_info = "The certificate expires on %s." % cert_expiration_date.date().isoformat()
 
 		if warn_if_expiring_soon and ndays <= warn_if_expiring_soon:
 			# Warn on day 10 to give 4 days for us to automatically renew the
diff --git a/management/templates/system-backup.html b/management/templates/system-backup.html
index 3860edb7..6afe62c8 100644
--- a/management/templates/system-backup.html
+++ b/management/templates/system-backup.html
@@ -113,10 +113,10 @@
   </div>
   <!-- Common -->
   <div class="form-group backup-target-local backup-target-rsync backup-target-s3">
-    <label for="min-age" class="col-sm-2 control-label">Days:</label>
+    <label for="min-age" class="col-sm-2 control-label">Retention Days:</label>
     <div class="col-sm-8">
       <input type="number" class="form-control" rows="1" id="min-age">
-      <div class="small" style="margin-top: 2px">This is the <i>minimum</i> number of days backup data is kept for. The box makes an incremental backup, so backup data is often kept much longer. An incremental backup file that is less than this number of days old requires that all previous increments back to the most recent full backup, plus that full backup, remain available.</div>
+      <div class="small" style="margin-top: 2px">This is the minimum time backup data is kept for. The box makes an incremental backup most nights, which requires that previous backups back to the most recent full backup be preserved, so backup data is often kept much longer than this setting. Full backups are made periodically when the incremental backup data size exceeds a limit.</div>
     </div>
   </div>
   <div class="form-group">
diff --git a/management/web_update.py b/management/web_update.py
index 0609c77b..83aa91bf 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -146,7 +146,7 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 		finally:
 			f.close()
 		return sha1.hexdigest()
-	nginx_conf_extra += "# ssl files sha1: %s / %s\n" % (hashfile(tls_cert["private-key"]), hashfile(tls_cert["certificate"]))
+	nginx_conf_extra += "\t# ssl files sha1: %s / %s\n" % (hashfile(tls_cert["private-key"]), hashfile(tls_cert["certificate"]))
 
 	# Add in any user customizations in YAML format.
 	hsts = "yes"
@@ -188,9 +188,9 @@ def make_domain_config(domain, templates, ssl_certificates, env):
 
 	# Add the HSTS header.
 	if hsts == "yes":
-		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=15768000\" always;\n"
+		nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000\" always;\n"
 	elif hsts == "preload":
-		nginx_conf_extra += "add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\" always;\n"
+		nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\" always;\n"
 
 	# Add in any user customizations in the includes/ folder.
 	nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")