diff --git a/docker-compose.yml b/docker-compose.yml
index 8fa3cb91c1fa80a50d65ebeda4847a265143486d..f676d3276a75e62ac8234d61b588122f063dde28 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -75,10 +75,17 @@ services:
       - "traefik.http.routers.nextcloud.rule=Host(`${HOST}`)"
       - "traefik.http.routers.nextcloud.tls.certresolver=myresolver"
       - "traefik.http.routers.nextcloud.entrypoints=web,websecure"
-      - "traefik.http.routers.nextcloud.middlewares=nextcloud@docker"
-      - "traefik.http.middlewares.nextcloud.headers.forceSTSHeader=true"
-      - "traefik.http.middlewares.nextcloud.headers.stsIncludeSubdomains=true"
-      - "traefik.http.middlewares.nextcloud.headers.stsSeconds=31536000"
+      - "traefik.http.routers.nextcloud.middlewares=nextcloud-caldav@docker,nextcloud-hardening@docker"
+      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$${1}/remote.php/dav/"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.sslredirect=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.forceSTSHeader=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.stsSeconds=15552000"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.stsPreload=true"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.referrerPolicy=no-referrer"
+      - "traefik.http.middlewares.nextcloud-hardening.headers.customFrameOptionsValue=SAMEORIGIN"
 
 volumes:
   document_data:
diff --git a/nginx.conf b/nginx.conf
index 0de695f620a95d52dd126a26b36b3584fa9dc54b..aacb81d901470b29e66ef9e654c00b2356ab0996 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -48,7 +48,9 @@ http {
    	listen 80;
 
         # Add headers to serve security related headers
+	add_header Referrer-Policy "no-referrer" always;
         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+	add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Robots-Tag none;
@@ -65,9 +67,6 @@ http {
         error_page 403 /core/templates/403.php;
         error_page 404 /core/templates/404.php;
 
-        rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
-        rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
-
         location = /robots.txt {
             allow all;
             log_not_found off;