diff --git a/config/haproxy/haproxy.cfg b/config/haproxy/haproxy.cfg
index 3a78f45..10e847c 100644
--- a/config/haproxy/haproxy.cfg
+++ b/config/haproxy/haproxy.cfg
@@ -5,24 +5,18 @@ global
     daemon
 
     tune.ssl.default-dh-param       2048
-    ssl-default-bind-options no-sslv3 no-tls-tickets
-    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+    ssl-default-bind-options ssl-min-ver TLSv1.2
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
 
 defaults
-    #log stdout format raw local0 debug
-    log stdout format raw local0 notice
+    log stdout format raw local0 debug
+    #log stdout format raw local0 notice
     mode http
     balance roundrobin
     maxconn 1024
 
-    #This breaks HTTP2
-    #option abortonclose
-    option httpclose
-    option forwardfor
-
-    retries 3
-    option redispatch
-
     timeout client  30s
     timeout connect 30s
     timeout server  30s
@@ -37,6 +31,7 @@ defaults
 
 # PUBLIC
 frontend web
+    option tcplog
     bind :80
     bind :443 ssl crt /certificates strict-sni
 
@@ -55,12 +50,17 @@ frontend web
     http-response set-header Access-Control-Max-Age 3628800
     http-response set-header Access-Control-Allow-Methods "GET"
 
-    # Router
-    # ACL to match the sni hosts
+    # max-age is mandatory. 16000000 seconds is approximately 6 months. Use a low value during testing.
+    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    # ACLS
     acl is_base ssl_fc_sni -i "${BASE_URL}"
     acl is_stream ssl_fc_sni -i "stream.${BASE_URL}"
 
-    # Define the ACL conditions and corresponding actions
+    # Router
     use_backend backend_api if is_base
     use_backend backend_restreamer if is_stream
 
@@ -70,5 +70,4 @@ backend backend_api
 
 backend backend_restreamer
     balance leastconn
-    server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2
-
+    server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2
\ No newline at end of file