diff --git a/helios/security.py b/helios/security.py
index 971499e7c18fe50e268591a39aea9cf0cacc61f5..c0228213b3db56ff51a8e6e59c97b32ea38ce8c7 100644
--- a/helios/security.py
+++ b/helios/security.py
@@ -20,6 +20,13 @@ import urllib
 
 import helios
 
+
+class HSTSMiddleware:
+    def process_response(self, request, response):
+        if settings.STS:
+          response['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload"
+        return response
+        
 # current voter
 def get_voter(request, user, election):
   """
diff --git a/settings.py b/settings.py
index 45a935791c711194675e4d2eff3a97ace4432888..9a580def6becaa02e2a0a0571eb765a9df4f21cf 100644
--- a/settings.py
+++ b/settings.py
@@ -101,10 +101,13 @@ if (get_from_env('SSL', '0') == '1'):
 SESSION_COOKIE_HTTPONLY = True
 
 # let's go with one year because that's the way to do it now
+STS = False
 if (get_from_env('HSTS', '0') == '1'):
-    SECURE_HSTS_SECONDS = 31536000
+    STS = True
+    # we're using our own custom middleware now
+    # SECURE_HSTS_SECONDS = 31536000
     # not doing subdomains for now cause that is not likely to be necessary and can screw things up.
-    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+    # SECURE_HSTS_INCLUDE_SUBDOMAINS = True
 
 SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
@@ -121,6 +124,7 @@ MIDDLEWARE_CLASSES = (
 
     # secure a bunch of things
     'djangosecure.middleware.SecurityMiddleware',
+    'helios.security.HSTSMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 
     'django.middleware.common.CommonMiddleware',