diff --git a/lib/nextcloud.sh b/lib/nextcloud.sh
index 14e053e..dca9a90 100644
--- a/lib/nextcloud.sh
+++ b/lib/nextcloud.sh
@@ -54,6 +54,17 @@ services:
       - "traefik.http.routers.nextcloud.rule=Host(\`nextcloud.$DOMAIN\`)"
       - "traefik.http.routers.nextcloud.entrypoints=websecure"
       - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.nextcloud.middlewares=nextcloud-redirectregex1,nextcloud-redirectregex2,nextcloudheader"
+      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.regex=https?://([^/]*)/.well-known/(card|cal)dav"
+      - "traefik.http.middlewares.nextcloud-redirectregex1.redirectregex.replacement=https://$${1}/remote.php/dav/"
+      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.permanent=true"
+      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.regex=https?://([^/]*)(/.well-known[^#]*)"
+      - "traefik.http.middlewares.nextcloud-redirectregex2.redirectregex.replacement=https://$${1}/index.php$${2}"
+      - "traefik.http.middlewares.nextcloudheader.headers.stsSeconds=15552000"
+      - "traefik.http.middlewares.nextcloudheader.headers.stsIncludeSubdomains=true"
+      - "traefik.http.middlewares.nextcloudheader.headers.stsPreload=true"
+      - "traefik.http.middlewares.nextcloudheader.headers.forceSTSHeader=true"
 
 secrets:
   federated_psql_password:
@@ -71,10 +82,12 @@ echo "$ADMINPASS" > /federated/apps/nextcloud/.nextcloud.secret
 chmod 600 /federated/apps/nextcloud/.postgresql.secret /federated/apps/nextcloud/.nextcloud.secret
 
 cat > /federated/apps/nextcloud/.env <<EOF
-IMAGE_VERSION=27.1.5
+IMAGE_VERSION=28.0
 NEXTCLOUD_UPDATE=1
 PHP_MEMORY_LIMIT=2048M
 PHP_UPLOAD_LIMIT=2048M
+TRUSTED_PROXIES=172.99.0.0/16
+NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.$DOMAIN
 NEXTCLOUD_ADMIN_USER=nextcloud
 NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/federated_nextcloud_password
 POSTGRES_HOST=postgresql.$DOMAIN