diff --git a/app.js b/app.js
index 618fba1..db93014 100644
--- a/app.js
+++ b/app.js
@@ -83,7 +83,7 @@ app.use(compression())
 // use hsts to tell https users stick to this
 if (config.hsts.enable) {
   app.use(helmet.hsts({
-    maxAge: config.hsts.maxAgeSeconds * 1000,
+    maxAge: config.hsts.maxAgeSeconds,
     includeSubdomains: config.hsts.includeSubdomains,
     preload: config.hsts.preload
   }))
diff --git a/lib/config/default.js b/lib/config/default.js
index d7a8f47..5a7ae0a 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -13,7 +13,7 @@ module.exports = {
   useSSL: false,
   hsts: {
     enable: true,
-    maxAgeSeconds: 31536000,
+    maxAgeSeconds: 60 * 60 * 24 * 365,
     includeSubdomains: true,
     preload: true
   },