diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2
index ce5480b..82cbbb5 100644
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@@ -1,6 +1,8 @@
 {% set domain_name      = item.nginx_domain_name %}
 {% set domain_aliases   = item.nginx_domain_aliases | default("") %}
 {% set use_https        = item.use_https | default("no") %}
+{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
+{% set enable_hsts      = item.nginx_enable_hsts | default("no") %}
 {% set has_wordpress    = item.has_wordpress | default("no") %}
 
 {% if use_https == "yes" %}
@@ -69,7 +71,7 @@ server {
         fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
         fastcgi_no_cache $http_pragma $wordpress_logged_in;
 
-        {% if use_https == "yes" %}
+        {% if use_https == "yes" and enable_hsts == "yes" %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/