diff --git a/files/__main__.py b/files/__main__.py
index 8a4090b54..1172029e9 100644
--- a/files/__main__.py
+++ b/files/__main__.py
@@ -110,8 +110,6 @@ def before_request():
 
 @app.after_request
 def after_request(response):
-	response.headers.add("Strict-Transport-Security", "max-age=31536000")
-	response.headers.add("X-Frame-Options", "deny")
 	if response.status_code < 400:
 		g.db.commit()
 		g.db.close()
diff --git a/nginx.conf b/nginx.conf
index 2e57b6f4f..6a5b25a04 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -5,6 +5,8 @@ server {
 	listen [::]:80;
 	proxy_set_header Host $http_host;
 	add_header Referrer-Policy same-origin;
+	add_header Strict-Transport-Security "max-age=3153600";
+	add_header X-Frame-Options "deny";
 
 	location / {
 		proxy_pass http://localhost:5000/;