diff --git a/files/fedora-cloud/haproxy.cfg b/files/fedora-cloud/haproxy.cfg
index 5489f08186..cecddd4c13 100644
--- a/files/fedora-cloud/haproxy.cfg
+++ b/files/fedora-cloud/haproxy.cfg
@@ -35,6 +35,10 @@ global
     # turn on stats unix socket
     stats socket /var/lib/haproxy/stats
 
+    tune.ssl.default-dh-param 1024
+    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+
 #---------------------------------------------------------------------
 # common defaults that all the 'listen' and 'backend' sections will
 # use if not designated in their block
@@ -62,32 +66,46 @@ defaults
 #frontend keystone_admin *:35357
 #  default_backend keystone_admin
 frontend neutron
-  bind 0.0.0.0:9696 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend neutron
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend cinder
-  bind 0.0.0.0:8776 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend cinder
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend swift
-  bind 0.0.0.0:8080 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend swift
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend nova
-  bind 0.0.0.0:8774 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend nova
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend ceilometer
-  bind 0.0.0.0:8777 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend ceilometer
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend ec2
-  bind 0.0.0.0:8773 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend ec2
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 frontend glance
-  bind 0.0.0.0:9292 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
   default_backend glance
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000
 
 backend neutron
   server neutron 127.0.0.1:8696 check