diff --git a/services/traefik/default.nix b/services/traefik/default.nix
index e008ec84..0f9c869e 100644
--- a/services/traefik/default.nix
+++ b/services/traefik/default.nix
@@ -25,24 +25,29 @@
         };
       };
     };
-    dynamicConfigOptions.http = {
-      routers.api = {
-        rule = "Host(`traefik.xenia.me.uk`)";
-        entryPoints = ["http" "https"];
-        service = "api@internal";
-        middlewares = ["auth"];
-        tls = {certResolver = "default";};
-      };
-      routers.api-internal = {
-        rule = "ClientIP(`192.168.0.0/16`)";
-        entryPoints = ["traefik-internal"];
-        service = "api@internal";
-      };
-      middlewares = {
-        auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
-        hsts.headers = {
-          stsSeconds = "31536000";
-          stsIncludeSubdomains = true;
+    dynamicConfigOptions = {
+      tls.options.default.sniStrict = true;
+      http = {
+        routers = {
+          api = {
+            rule = "Host(`traefik.xenia.me.uk`)";
+            entryPoints = ["http" "https"];
+            service = "api@internal";
+            middlewares = ["auth"];
+            tls = {certResolver = "default";};
+          };
+          api-internal = {
+            rule = "ClientIP(`192.168.0.0/16`)";
+            entryPoints = ["traefik-internal"];
+            service = "api@internal";
+          };
+        };
+        middlewares = {
+          auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
+          hsts.headers = {
+            stsSeconds = "31536000";
+            stsIncludeSubdomains = true;
+          };
         };
       };
     };