diff --git a/03frontends.cfg b/03frontends.cfg
index f647717..3094989 100644
--- a/03frontends.cfg
+++ b/03frontends.cfg
@@ -314,6 +314,9 @@ frontend frontend_default
   acl mastodon hdr(host) -i mastodon.benoit.jp.net
   acl miniflux hdr(host) -i miniflux.benoit.jp.net
   acl navidrome hdr(host) -i navidrome.benoit.jp.net
+  acl nefarious hdr(host) -i nefarious.benoit.jp.net
+  acl nefarious-jackett hdr(host) -i nefarious-jackett.benoit.jp.net
+  acl nefarious-transmission hdr(host) -i nefarious-transmission.benoit.jp.net
   acl photoprism hdr(host) -i photoprism.benoit.jp.net
   acl uptime-kuma hdr(host) -i uptime-kuma.benoit.jp.net
   acl vaultwarden hdr(host) -i vaultwarden.benoit.jp.net
@@ -329,6 +332,9 @@ frontend frontend_default
   http-request deny if mailcow !letsencrypt !allowed_ips
   http-request deny if miniflux !letsencrypt !allowed_ips
   http-request deny if navidrome !JP !letsencrypt !allowed_ips
+  http-request deny if nefarious !letsencrypt !allowed_ips
+  http-request deny if nefarious-jackett !letsencrypt !allowed_ips
+  http-request deny if nefarious-transmission !letsencrypt !allowed_ips
   http-request deny if photoprism !JP !FR !letsencrypt !allowed_ips
   http-request deny if vaultwarden !letsencrypt !allowed_ips
 
@@ -348,5 +354,8 @@ frontend frontend_default
   use_backend uptime-kuma if uptime-kuma
   use_backend vaultwarden if vaultwarden
   use_backend www if www
+  use_backend nefarious if nefarious
+  use_backend nefarious-jackett if nefarious-jackett
+  use_backend nefarious-transmission if nefarious-transmission
 
   default_backend default
diff --git a/05backends.cfg b/05backends.cfg
index 7f1228a..c4593f0 100644
--- a/05backends.cfg
+++ b/05backends.cfg
@@ -157,3 +157,18 @@ backend uptime-kuma
   http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
   http-response set-header Cross-Origin-Resource-Policy "cross-origin"
   server uptime-kuma mxmon:3001 check
+
+backend nefarious
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  server nefarious nefarious.incus:8000 check
+
+backend nefarious-jackett
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  server nefarious-jackett nefarious.incus:9117 check
+
+backend nefarious-transmission
+  # set HSTS for one year after all responses
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  server nefarious-transmission nefarious.incus:9091 check