diff --git a/templates/default/vHost.conf.erb b/templates/default/vHost.conf.erb
index 113b62b51a11d4df25d815bdf805495237602c5a..dd378b18c24f9d53c5d07c1b4d0ed029482772f0 100644
--- a/templates/default/vHost.conf.erb
+++ b/templates/default/vHost.conf.erb
@@ -138,6 +138,20 @@
 				downgrade-1.0 force-response-1.0
 		# MSIE 7 and newer should be able to use keepalive
 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+		## Secure SSL config. See: https://bettercrypto.org/static/applied-crypto-hardening.pdf
+
+		SSLProtocol All -SSLv2 -SSLv3
+		SSLHonorCipherOrder On
+		SSLCompression off
+		# Add six earth month HSTS header for all users...
+		# ATTENTION! Needs header module enabled.
+		 Header always set Strict-Transport-Security "max-age=15768000"
+		# If you want to protect all subdomains, use the following header
+		# ALL subdomains HAVE TO support HTTPS if you use this!
+		# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
+		SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:$
+
 	</VirtualHost>
 </IfModule>
 
@@ -161,4 +175,4 @@
 
   CustomLog /var/log/apache2/access.log combined
   ServerSignature On
-</VirtualHost>
\ No newline at end of file
+</VirtualHost>