diff --git a/CHANGES b/CHANGES
index 81fa056cd..fe77a16f8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2243,4 +2243,5 @@
 * app mailbox is now optional
 * Fix display of user management/dashboard visiblity for email apps
 * graphite: disable tagdb and reduce log noise
+* hsts: change max-age to 2 years
 
diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index a2d121754..1b8c1aac3 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -82,7 +82,7 @@ server {
     ssl_prefer_server_ciphers off;
 
     ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
-    add_header Strict-Transport-Security "max-age=15768000";
+    add_header Strict-Transport-Security "max-age=63072000";
 
     # https://github.com/twitter/secureheaders
     # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix