diff --git a/gddo-server/https.go b/gddo-server/https.go
new file mode 100644
index 00000000..c2b20c0b
--- /dev/null
+++ b/gddo-server/https.go
@@ -0,0 +1,19 @@
+package main
+
+import "net/http"
+
+type httpsEnforcerHandler struct {
+	h http.Handler
+}
+
+func (h httpsEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Host == "godoc.org" {
+		w.Header().Add("Strict-Transport-Security", "max-age=631138519; includeSubdomains; preload")
+		if r.Header.Get("X-Scheme") != "https" {
+			r.URL.Scheme = "https"
+			http.Redirect(w, r, r.URL.String(), http.StatusFound)
+			return
+		}
+	}
+	h.h.ServeHTTP(w, r)
+}
diff --git a/gddo-server/main.go b/gddo-server/main.go
index 486addd8..31f9abb0 100644
--- a/gddo-server/main.go
+++ b/gddo-server/main.go
@@ -898,7 +898,11 @@ func main() {
 
 	cacheBusters.Handler = mux
 
-	if err := http.ListenAndServe(*httpAddr, hostMux{{"api.", apiMux}, {"", mux}}); err != nil {
+	allMux := httpsEnforcerHandler{
+		hostMux{{"api.", apiMux}, {"", mux}},
+	}
+
+	if err := http.ListenAndServe(*httpAddr, allMux); err != nil {
 		log.Fatal(err)
 	}
 }