diff --git a/group_vars/all b/group_vars/all/vars.yml
similarity index 98%
rename from group_vars/all
rename to group_vars/all/vars.yml
index 54abf5b..02a55ad 100644
--- a/group_vars/all
+++ b/group_vars/all/vars.yml
@@ -11,6 +11,7 @@ hackmd_domain: pad.binary-kitchen.de
 hackmd_dbname: hackmd
 hackmd_dbuser: hackmd
 hackmd_dbpass: oepaich3haob7AoY
+hackmd_secret: "{{ vault_hackmd_secret }}"
 
 ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
new file mode 100644
index 0000000..44f9b72
--- /dev/null
+++ b/group_vars/all/vault.yml
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+64323839393830353266323861653938663862323663616135396166393532333030313465393563
+6666313061303232383533343362383134663730383761660a666339353639613037663134393334
+65633566363961663138616564353761353931666363613336316335643535363533306461343662
+3339383263396438640a616433336333626632326465363931616461356539656535626432383738
+33356462366339356164373539333636386230376665303561303864366232636463616339653731
+3537623933633964383538633261633133323136366433376232
diff --git a/roles/hackmd/defaults/main.yml b/roles/hackmd/defaults/main.yml
index 417bf28..90665de 100644
--- a/roles/hackmd/defaults/main.yml
+++ b/roles/hackmd/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
 
-hackmd_version: 1.1.0-ce
+hackmd_version: 1.1.1-ce
diff --git a/roles/hackmd/meta_/main.yml b/roles/hackmd/meta/main.yml
similarity index 100%
rename from roles/hackmd/meta_/main.yml
rename to roles/hackmd/meta/main.yml
diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2
index 6c72855..9c56580 100644
--- a/roles/hackmd/templates/config.json.j2
+++ b/roles/hackmd/templates/config.json.j2
@@ -2,14 +2,16 @@
     "production": {
         "domain": "{{ hackmd_domain }}",
         "protocolUseSSL": true,
-        "_hsts": {
+        "allowFreeURL": true,
+        "sessionSecret": "{{ hackmd_secret }}",
+        "hsts": {
             "enable": true,
-            "maxAgeSeconds": "31536000",
+            "maxAgeSeconds": "2592000",
             "includeSubdomains": true,
             "preload": true
         },
         "csp": {
-            "enable": false,
+            "enable": true,
             "directives": {
             },
             "upgradeInsecureRequests": "auto",