diff --git a/services/mam-api/src/index.js b/services/mam-api/src/index.js
index dad13ca..d7cf83f 100644
--- a/services/mam-api/src/index.js
+++ b/services/mam-api/src/index.js
@@ -62,6 +62,18 @@ app.use(express.json({ limit: '50mb' }));
// Trust the reverse proxy only when explicitly told to (production HTTPS).
if (process.env.TRUST_PROXY === 'true') app.set('trust proxy', 1);
+// HSTS — once a browser has seen this header over HTTPS for dragonflight.live,
+// it auto-upgrades every future http:// request to https:// before hitting the
+// wire. Cookies are Secure-only (below) and the CORS allowlist rejects HTTP,
+// so without HSTS a user who lands on http:// silently can't log in.
+// Only emit on actual HTTPS responses; req.secure honors trust proxy + X-Forwarded-Proto.
+if (process.env.AUTH_ENABLED === 'true') {
+ app.use((req, res, next) => {
+ if (req.secure) res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+ next();
+ });
+}
+
// Hard-fail when production-mode auth has no stable session secret. Without
// this, express-session falls back to an in-memory random secret which
// invalidates every session on restart and breaks multi-node deployments.
diff --git a/services/web-ui/public/index.html b/services/web-ui/public/index.html
index cab074c..bc933c4 100644
--- a/services/web-ui/public/index.html
+++ b/services/web-ui/public/index.html
@@ -2,6 +2,14 @@
+
Dragonflight · Wild Dragon Broadcast