diff --git a/roles/nextcloud/files/Caddyfile b/roles/nextcloud/files/Caddyfile
index a54f3f5..a56ed59 100644
--- a/roles/nextcloud/files/Caddyfile
+++ b/roles/nextcloud/files/Caddyfile
@@ -10,7 +10,7 @@
 
 	header {
 		# enable HSTS
-		Strict-Transport-Security max-age=31536000;
+		Strict-Transport-Security max-age=31536000;includeSubDomains;preload;
 		Permissions-Policy interest-cohort=()
 		X-Content-Type-Options nosniff
 		X-Frame-Options SAMEORIGIN
@@ -18,11 +18,13 @@
 		X-XSS-Protection "1; mode=block"
 		X-Permitted-Cross-Domain-Policies none
 		X-Robots-Tag "noindex, nofollow"
-		-X-Powered-By
 	}
 
+	# client support (e.g. os x calendar / contacts)
 	redir /.well-known/carddav /remote.php/dav 301
 	redir /.well-known/caldav /remote.php/dav 301
+	redir /.well-known/webfinger /index.php/.well-known/webfinger 301
+	redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
 
     # Uncomment this block if you use the high speed files backend: https://github.com/nextcloud/notify_push
 	#handle_path /push/* {