diff --git a/internal/frontend/handler.go b/internal/frontend/handler.go
index da600750..362c8574 100644
--- a/internal/frontend/handler.go
+++ b/internal/frontend/handler.go
@@ -110,6 +110,9 @@ func (handler *StaticHandler) serveFile(w http.ResponseWriter, r *http.Request,
 
 		defer file.Close() //nolint:errcheck
 
+		w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+
 		if path != index {
 			w.Header().Set("Vary", "Accept-Encoding, User-Agent")
 			w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d, immutable", handler.maxAgeSec))
@@ -143,7 +146,6 @@ func (handler *StaticHandler) serveFile(w http.ResponseWriter, r *http.Request,
 			)
 
 			w.Header().Set("X-Frame-Options", "SAMEORIGIN")
-			w.Header().Set("X-Content-Type-Options", "nosniff")
 			w.Header().Set("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), "+
 				"autoplay=(self), battery=(), camera=(), cross-origin-isolated=(self), display-capture=(), "+
 				"document-domain=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), "+