diff --git a/.gitignore b/.gitignore
index 80fb931..d6c2f36 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ dist/
 __pycache__/
 *.pyc
 .env
+ssl/*.pem
diff --git a/docker-compose.yml b/docker-compose.yml
index fef315d..9ab24d2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,8 +26,11 @@ services:
     image: nginx:alpine
     ports:
       - "80:80"
+      - "443:443"
     volumes:
       - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./ssl/cert.pem:/etc/nginx/ssl/cert.pem:ro
+      - ./ssl/key.pem:/etc/nginx/ssl/key.pem:ro
     depends_on:
       - backend
       - frontend
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index fb6a326..04504a9 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -1,20 +1,47 @@
 server {
     listen 80;
-    server_name _;
+    server_name static.155.116.167.89.clients.your-server.de;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name static.155.116.167.89.clients.your-server.de;
+
+    server_tokens off;
+
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/key.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
 
     client_max_body_size 100k;
 
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
+
     location /api/ {
         proxy_pass http://backend:8000;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_hide_header Server;
+        proxy_hide_header X-Powered-By;
     }
 
     location / {
         proxy_pass http://frontend:80;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_hide_header Server;
     }
 }
diff --git a/ssl/README.md b/ssl/README.md
new file mode 100644
index 0000000..ab37989
--- /dev/null
+++ b/ssl/README.md
@@ -0,0 +1,21 @@
+# SSL Zertifikat
+
+Hier die Zertifikatsdateien ablegen:
+
+- `cert.pem` - Öffentliches Zertifikat (inkl. Chain)
+- `key.pem` - Privater Schlüssel
+
+## Zertifikat mit OpenSSL erstellen (Self-Signed, für Tests)
+
+```bash
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout key.pem -out cert.pem \
+  -subj "/CN=static.155.116.167.89.clients.your-server.de"
+```
+
+## Let's Encrypt Zertifikat kopieren
+
+```bash
+cp /etc/letsencrypt/live/static.155.116.167.89.clients.your-server.de/fullchain.pem ssl/cert.pem
+cp /etc/letsencrypt/live/static.155.116.167.89.clients.your-server.de/privkey.pem ssl/key.pem
+```