diff --git a/defaults/main.yml b/defaults/main.yml
index ddd2727..43ed4cc 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -57,6 +57,9 @@ nginx_tls_source_use_files: True
 nginx_tls_cert_source: mycert.pem
 nginx_tls_key_source: mykey.pem
 
+nginx_tls_ocsp_enabled: False
+
+nginx_tls_hsts_enabled: False
 nginx_hsts_options:
   - nginx_hsts_max_age=63072000
   - includeSubDomains
diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2
index bf19fbb..d59f3fb 100644
--- a/templates/etc/nginx/conf.d/header.conf.j2
+++ b/templates/etc/nginx/conf.d/header.conf.j2
@@ -1,6 +1,8 @@
 # {{ ansible_managed }}
 # default header settings
+{% if nginx_tls_enabled and nginx_tls_hsts_enabled %}
 add_header Strict-Transport-Security{% if nginx_hsts_options is defined %} "{{ nginx_hsts_options | join("; ") }}"{% endif %};
+{% endif %}
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";
diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2
index 7ee826a..86b496c 100644
--- a/templates/etc/nginx/conf.d/tls.conf.j2
+++ b/templates/etc/nginx/conf.d/tls.conf.j2
@@ -5,6 +5,9 @@ ssl_prefer_server_ciphers on;
 
 ssl_protocols TLSv1.2;
 ssl_session_cache shared:SSL:10m;
-{% if nginx_pfs_enabled and nginx_dhparam_file is defined %}
-ssl_dhparam {{ nginx_dhparam_file }};
+
+{% if nginx_tls_enabled and nginx_tls_ocsp_enabled %}
+ssl_stapling on;
+ssl_trusted_certificate /pfad/bundle.ca.pem;
+ssl_stapling_verify on;
 {% endif %}