diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index df3863f..fb17d79 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -7,8 +7,19 @@ nginx_confd_path: /etc/nginx/conf.d
 # parent directory of vhost roots
 nginx_root_prefix: /var/www
 
-# TLS protocol versions to support
-nginx_tls_protocols: TLSv1 TLSv1.1 TLSv1.2
+# 1 hour timeout
+nginx_ssl_session_timeout: 1h
+# 10MB -> 40,000 sessions
+nginx_ssl_session_cache: shared:SSL:10m
+# 1400 bytes to fit in one MTU (default is 16k!)
+nginx_ssl_buffer_size: 1400
+nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
+nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
+nginx_spdy_headers_comp: 6
+
+# Enable HTTP Strict Transport Security?
+# True on production, False on development!
+nginx_enable_hsts: True
 
 # TLS key directory
 tls_key_dir: /etc/ssl/private
diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
index 705fac7..87b75ec 100644
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -5,12 +5,12 @@
     ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
     ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
 
-    ssl_session_timeout 24h;            # 24 hour timeout
-    ssl_session_cache shared:SSL:1m;    # 1MB -> 4,000 sessions
-    ssl_buffer_size 1400;               # 1400 bytes to fit in one MTU
+    ssl_session_timeout {{ nginx_ssl_session_timeout }};
+    ssl_session_cache {{ nginx_ssl_session_cache }};
+    ssl_buffer_size {{ nginx_ssl_buffer_size }};
 
-    ssl_dhparam /etc/ssl/certs/dhparam.pem;
-    ssl_protocols {{ nginx_tls_protocols }};
+    ssl_dhparam {{ nginx_ssl_dhparam }};
+    ssl_protocols {{ nginx_ssl_protocols }};
     ssl_ciphers "{{ tls_cipher_suite }}";
     ssl_prefer_server_ciphers on;
 
@@ -29,9 +29,11 @@
     ssl_session_tickets off;
 
     # enable SPDY header compression
-    spdy_headers_comp 6;
+    spdy_headers_comp {{ nginx_spdy_headers_comp }};
 
+    {% if nginx_enable_hsts == True %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
     # See: https://hstspreload.appspot.com/
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    {% endif %}