diff --git a/Caddyfile b/Caddyfile
index 483ac31..4b0a9e1 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,44 +1,48 @@
 # global options
 {
-        # remove comment to use staging Let's Encrypt servers (for testing)
-        # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+	# remove comment to use staging Let's Encrypt servers (for testing)
+	# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
 
-        # auto_https contact mail address, for TLS certs notifications (expiry,
-        # other problems with certs)
-        email admins@pub.solar
+	# auto_https contact mail address, for TLS certs notifications (expiry,
+	# other problems with certs)
+	email admins@pub.solar
+}
+
+# security and privacy header snippet
+(security_headers) {
+	header {
+		# disable FLoC tracking
+		Permissions-Policy interest-cohort=()
+
+		# enable HSTS
+		Strict-Transport-Security max-age=63072000;
+
+		# disable clients from sniffing the media type
+		X-Content-Type-Options nosniff
+
+		# clickjacking protection
+		X-Frame-Options DENY
+
+		# keep referrer data off of HTTP connections
+		Referrer-Policy no-referrer-when-downgrade
+	}
 }
 
 # static file server
 miom.space {
-        root * /srv/miom.space
-        file_server
+	import security_headers
+	root * /srv/miom.space
+	file_server
 
-        # caddys default is no access logs at all
-        # comment this block out for debugging
-        #log {
-        #        output file /var/log/caddy-access.log
-        #}
+	# caddys default is no access logs at all
+	# comment this block out for debugging
+	#log {
+	#        output file /var/log/caddy-access.log
+	#}
 }
 
 # redirect www. subdomain to apex (root) domain
 www.miom.space {
-        redir https://miom.space{uri}
-}
-
-# security and privacy headers
-header {
-	# disable FLoC tracking
-	Permissions-Policy interest-cohort=()
-
-	# enable HSTS
-	Strict-Transport-Security max-age=63072000;
-
-	# disable clients from sniffing the media type
-	X-Content-Type-Options nosniff
-
-	# clickjacking protection
-	X-Frame-Options DENY
-
-	# keep referrer data off of HTTP connections
-	Referrer-Policy no-referrer-when-downgrade
+	import security_headers
+	redir https://miom.space{uri}
 }