diff --git a/settings.py b/settings.py
index fad125601bc9a3cefa4ba575246853d4051c9203..fa5127b30ef95ddb61f3ee355f8429f05cfd271a 100644
--- a/settings.py
+++ b/settings.py
@@ -100,11 +100,11 @@ if (get_from_env('SSL', '0') == '1'):
 
 SESSION_COOKIE_HTTPONLY = True
 
-# one week HSTS seems like a good balance for MITM prevention
+# let's go with one year because that's the way to do it now
 if (get_from_env('HSTS', '0') == '1'):
-    SECURE_HSTS_SECONDS = 3600 * 24 * 7
+    SECURE_HSTS_SECONDS = 52 * 3600 * 24 * 7
     # not doing subdomains for now cause that is not likely to be necessary and can screw things up.
-    SECURE_HSTS_INCLUDE_SUBDOMAINS = False
+    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True