diff --git a/03frontends.cfg b/03frontends.cfg
index 33d856d..e0c2657 100644
--- a/03frontends.cfg
+++ b/03frontends.cfg
@@ -314,6 +314,7 @@ frontend frontend_default
   acl miniflux hdr(host) -i miniflux.benoit.jp.net
   acl navidrome hdr(host) -i navidrome.benoit.jp.net
   acl photoprism hdr(host) -i photoprism.benoit.jp.net
+  acl uptime-kuma hdr(host) -i uptime-kuma.benoit.jp.net
   acl vaultwarden hdr(host) -i vaultwarden.benoit.jp.net
   acl www hdr(host) -i benoit.jp.net
   acl www hdr(host) -i www.benoit.jp.net
@@ -338,6 +339,7 @@ frontend frontend_default
   use_backend miniflux if miniflux
   use_backend navidrome if navidrome
   use_backend photoprism if photoprism
+  use_backend uptime-kuma if uptime-kuma
   use_backend vaultwarden if vaultwarden
   use_backend www if www
 
diff --git a/05backends.cfg b/05backends.cfg
index e5d3af6..df7036b 100644
--- a/05backends.cfg
+++ b/05backends.cfg
@@ -136,4 +136,14 @@ backend mailcow
   http-response set-header X-Content-Type-Options "nosniff"
   http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
   http-response set-header Cross-Origin-Resource-Policy "same-origin"
-  server navidrome mailcow.incus:80 check
+  server mailcow mailcow.incus:80 check
+
+backend uptime-kuma
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  # add some Security headers
+  http-response set-header X-Frame-Options "SAMEORIGIN"
+  http-response set-header X-Content-Type-Options "nosniff"
+  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
+  http-response set-header Cross-Origin-Resource-Policy "same-origin"
+  server uptime-kuma mxmon:3001 check