diff --git a/provisioning/resources/configs/openapi.yaml b/provisioning/resources/configs/openapi.yaml
index f94b0a61..ab305ccf 100644
--- a/provisioning/resources/configs/openapi.yaml
+++ b/provisioning/resources/configs/openapi.yaml
@@ -221,9 +221,18 @@ paths:
           description: "Telemetry has been reconfigured"
         "401":
           description: "Unauthorized"
-      
-      
-      
+  /add-hsts:
+    put:
+      tags:
+      - "configuration"
+      summary: "Add HSTS header"
+      description: "Adds HSTS header to underlying caddy configuration. When added, 'Strict-Transport-Security' header is returned for each HTTPS response"
+      operationId: "addHsts"
+      responses:
+        "200":
+          description: "HSTS header has been added"
+        "401":
+          description: "Unauthorized"
       
   /restart-services:
     put:
diff --git a/provisioning/resources/control-plane/add_hsts_header.go b/provisioning/resources/control-plane/add_hsts_header.go
index e6956b20..67849fed 100644
--- a/provisioning/resources/control-plane/add_hsts_header.go
+++ b/provisioning/resources/control-plane/add_hsts_header.go
@@ -31,7 +31,7 @@ func addHstsHeader(configPath string) error {
 		`
       handle @isHttps {
         import handleProtectedPaths
-        header Strict-Transport-Security max-age=31536000; includeSubDomains
+        header Strict-Transport-Security "max-age=31536000; includeSubDomains"
       }
 `
 	newCaddyConfig := strings.Replace(string(currentConfig), toReplacePattern, replaceWithHsts, 1)