diff --git a/etc/nginx/modules/ngx_http_brotli_filter_module.so b/etc/nginx/modules/ngx_http_brotli_filter_module.so
new file mode 100755
index 0000000..bf99107
Binary files /dev/null and b/etc/nginx/modules/ngx_http_brotli_filter_module.so differ
diff --git a/etc/nginx/modules/ngx_http_brotli_static_module.so b/etc/nginx/modules/ngx_http_brotli_static_module.so
new file mode 100755
index 0000000..1e99b0e
Binary files /dev/null and b/etc/nginx/modules/ngx_http_brotli_static_module.so differ
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 42f4eb4..67036d6 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -2,7 +2,8 @@ user mastodon; # changed from 'nginx'
 worker_processes auto;
 pid /run/nginx.pid;
 
-# jake: added
+# compiled brotli modules from https://github.com/google/ngx_brotli
+# see: https://github.com/jakejarvis/mastodon-scripts/wiki/Brotli-compression-for-nginx
 load_module modules/ngx_http_brotli_filter_module.so;
 load_module modules/ngx_http_brotli_static_module.so;
 
diff --git a/etc/nginx/sites-available/mastodon.conf b/etc/nginx/sites-available/mastodon.conf
index 8475279..6d480aa 100644
--- a/etc/nginx/sites-available/mastodon.conf
+++ b/etc/nginx/sites-available/mastodon.conf
@@ -39,7 +39,7 @@ server {
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
-  # jake: added
+  # https://ssl-config.mozilla.org/#server=nginx&version=1.22.1&config=intermediate&openssl=1.1.1f&guideline=5.6
   ssl_stapling on;
   ssl_stapling_verify on;
   ssl_trusted_certificate /etc/letsencrypt/live/fediverse.jarv.is/chain.pem;
@@ -87,19 +87,19 @@ server {
 
   location = /sw.js {
     add_header Cache-Control "public, max-age=604800, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+    add_header Strict-Transport-Security "max-age=63072000" always;
     try_files $uri =404;
   }
 
   location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
     add_header Cache-Control "public, max-age=2419200, must-revalidate";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+    add_header Strict-Transport-Security "max-age=63072000" always;
     try_files $uri =404;
   }
 
   location ~ ^/system/ {
     add_header Cache-Control "public, max-age=2419200, immutable";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+    add_header Strict-Transport-Security "max-age=63072000" always;
     try_files $uri =404;
   }
 
@@ -117,7 +117,7 @@ server {
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;
 
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
     # debugging
     add_header Via "1.1 $proxy_host" always;