diff --git a/README.md b/README.md
index dd418d6..8dc82bb 100644
--- a/README.md
+++ b/README.md
@@ -155,6 +155,9 @@ Environment variables (will overwrite other server configs)
 | HMD_S3_REGION | `ap-northeast-1` | AWS S3 region |
 | HMD_S3_BUCKET | no example | AWS S3 bucket name |
 | HMD_HSTS_ENABLE | ` true`  | set to enable [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) if HTTPS is also enabled (default is ` true`) |
+| HMD_HSTS_INCLUDE_SUBDOMAINS | `true` | set to include subdomains in HSTS (default is `true`) |
+| HMD_HSTS_MAX_AGE | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
+| HMD_HSTS_PRELOAD | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
 
 Application settings `config.json`
 ---
diff --git a/app.json b/app.json
index 07678ce..1de6b7d 100644
--- a/app.json
+++ b/app.json
@@ -27,6 +27,18 @@
             "description": "whether to also use HSTS if HTTPS is enabled",
             "required": false
         },
+        "HMD_HSTS_MAX_AGE": {
+            "description": "max duration, in seconds, to tell clients to keep HSTS status",
+            "required": false
+        },
+        "HMD_HSTS_INCLUDE_SUBDOMAINS": {
+            "description": "whether to tell clients to also regard subdomains as HSTS hosts",
+            "required": false
+        },
+        "HMD_HSTS_PRELOAD": {
+            "description": "whether to allow at all adding of the site to HSTS preloads (e.g. in browsers)",
+            "required": false
+        },
         "HMD_DOMAIN": {
             "description": "domain name",
             "required": false
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 27b697a..40b7e09 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -10,6 +10,9 @@ module.exports = {
   usessl: toBooleanConfig(process.env.HMD_USESSL),
   hsts: {
     enable: toBooleanConfig(process.env.HMD_HSTS_ENABLE),
+    maxAgeSeconds: process.env.HMD_HSTS_MAX_AGE,
+    includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS),
+    preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
   },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
   alloworigin: process.env.HMD_ALLOW_ORIGIN ? process.env.HMD_ALLOW_ORIGIN.split(',') : undefined,