diff --git a/.config/cypress-devcontainer.yml b/.config/cypress-devcontainer.yml
index 3907615f7..e5bc1afa5 100644
--- a/.config/cypress-devcontainer.yml
+++ b/.config/cypress-devcontainer.yml
@@ -174,6 +174,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 
diff --git a/.config/docker_example.yml b/.config/docker_example.yml
index 3f8e5734c..7d51ab044 100644
--- a/.config/docker_example.yml
+++ b/.config/docker_example.yml
@@ -168,6 +168,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 
diff --git a/.config/example.yml b/.config/example.yml
index 60a6a0aa7..ce336d9f7 100644
--- a/.config/example.yml
+++ b/.config/example.yml
@@ -250,6 +250,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 
diff --git a/.devcontainer/devcontainer.yml b/.devcontainer/devcontainer.yml
index 3eb4fc287..478642587 100644
--- a/.devcontainer/devcontainer.yml
+++ b/.devcontainer/devcontainer.yml
@@ -161,6 +161,12 @@ id: 'aidx'
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 
diff --git a/chart/files/default.yml b/chart/files/default.yml
index 4d17131c2..1802d987c 100644
--- a/chart/files/default.yml
+++ b/chart/files/default.yml
@@ -182,6 +182,12 @@ id: "aidx"
 # Whether disable HSTS
 #disableHsts: true
 
+# Whether to enable HSTS preload
+# Read these before enabling:
+#   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#preloading_strict_transport_security
+#   - https://hstspreload.org/
+#hstsPreload: false
+
 # Number of worker processes
 #clusterLimit: 1
 
diff --git a/packages/backend/src/config.ts b/packages/backend/src/config.ts
index e0ec12ea5..e3abb583c 100644
--- a/packages/backend/src/config.ts
+++ b/packages/backend/src/config.ts
@@ -28,6 +28,7 @@ type Source = {
 	socket?: string;
 	chmodSocket?: string;
 	disableHsts?: boolean;
+	hstsPreload?: boolean;
 	db: {
 		host: string;
 		port: number;
@@ -108,6 +109,7 @@ export type Config = {
 	socket: string | undefined;
 	chmodSocket: string | undefined;
 	disableHsts: boolean | undefined;
+	hstsPreload: boolean | undefined;
 	db: {
 		host: string;
 		port: number;
@@ -243,6 +245,7 @@ export function loadConfig(): Config {
 		socket: config.socket,
 		chmodSocket: config.chmodSocket,
 		disableHsts: config.disableHsts,
+		hstsPreload: config.hstsPreload ?? false,
 		host,
 		hostname,
 		scheme,
diff --git a/packages/backend/src/server/ServerService.ts b/packages/backend/src/server/ServerService.ts
index fd2bd3267..a733adbc4 100644
--- a/packages/backend/src/server/ServerService.ts
+++ b/packages/backend/src/server/ServerService.ts
@@ -31,6 +31,7 @@ import { HealthServerService } from './HealthServerService.js';
 import { ClientServerService } from './web/ClientServerService.js';
 import { OpenApiServerService } from './api/openapi/OpenApiServerService.js';
 import { OAuth2ProviderService } from './oauth/OAuth2ProviderService.js';
+import { makeHstsHook } from './hsts.js';
 
 const _dirname = fileURLToPath(new URL('.', import.meta.url));
 
@@ -81,12 +82,10 @@ export class ServerService implements OnApplicationShutdown {
 		this.#fastify = fastify;
 
 		// HSTS
-		// 6months (15552000sec)
 		if (this.config.url.startsWith('https') && !this.config.disableHsts) {
-			fastify.addHook('onRequest', (request, reply, done) => {
-				reply.header('strict-transport-security', 'max-age=15552000; preload');
-				done();
-			});
+			const preload = this.config.hstsPreload;
+			const host = new URL(this.config.url).host;
+			fastify.addHook('onRequest', makeHstsHook(host, preload));
 		}
 
 		// Register raw-body parser for ActivityPub HTTP signature validation.
diff --git a/packages/backend/src/server/hsts.ts b/packages/backend/src/server/hsts.ts
new file mode 100644
index 000000000..d8f606b8b
--- /dev/null
+++ b/packages/backend/src/server/hsts.ts
@@ -0,0 +1,30 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import type { onRequestHookHandler } from "fastify";
+
+// 6months (15552000sec) by default, 1year (31536000sec) if preload is enabled
+export function makeHstsHook(host: string, preload: boolean = false): onRequestHookHandler {
+    if (preload) {
+        return (request, reply, done) => {
+            // we must permanent redirect http to https for preload to be eligible
+            // however we do not want to do this if a reverse proxy is detected
+            if (
+                (request.host === host || request.hostname === host) &&
+                (request.headers['x-forwarded-proto'] ?? request.protocol) === 'http') {
+                reply.redirect(`https://${request.hostname}${request.url}`, 301);
+            } else {
+                // 1 year is mandatory for preload
+                reply.header('strict-transport-security', 'max-age=31536000; includeSubDomains; preload');
+            }
+            done();
+        }
+    } else {
+        return (request, reply, done) => {
+            reply.header('strict-transport-security', 'max-age=15552000');
+            done();
+        }
+    }
+}
\ No newline at end of file
diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts
index 4860ef3e1..209144d2d 100644
--- a/packages/backend/src/server/web/ClientServerService.ts
+++ b/packages/backend/src/server/web/ClientServerService.ts
@@ -53,6 +53,7 @@ import { FeedService } from './FeedService.js';
 import { UrlPreviewService } from './UrlPreviewService.js';
 import { ClientLoggerService } from './ClientLoggerService.js';
 import type { FastifyInstance, FastifyPluginOptions, FastifyReply } from 'fastify';
+import { makeHstsHook } from '../hsts.js';
 
 const _filename = fileURLToPath(import.meta.url);
 const _dirname = dirname(_filename);
@@ -209,6 +210,13 @@ export class ClientServerService {
 		//#region Bull Dashboard
 		const bullBoardPath = '/queue';
 
+		// HSTS
+		if (this.config.url.startsWith('https') && !this.config.disableHsts) {
+			const preload = this.config.hstsPreload;
+			const host = new URL(this.config.url).host;
+			fastify.addHook('onRequest', makeHstsHook(host, preload));
+		}
+
 		// Authenticate
 		fastify.addHook('onRequest', async (request, reply) => {
 			if (request.routeOptions.url == null) {