diff --git a/defaults/main.yml b/defaults/main.yml
index 9ddfcd8..5a46574 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -210,13 +210,14 @@ haproxy_maxconn: 4096
 # Parameters below should only be specified if necessary, defaults are programmed in the template
 #haproxy_tuning_params:
 #  nbproc: 1
-#  bufsize: 384000
-#  chksize: 16384
-#  comp_maxlevel: 1
-#  http_maxhdr: 101
-#  maxaccept: 64
-#  ssl_cachesize: 20000
-#  ssl_lifetime: 300
+#  tune.bufsize: 384000
+#  tune.chksize: 16384
+#  tune.comp_maxlevel: 1
+#  tune.http_maxhdr: 101
+#  tune.maxaccept: 64
+#  tune.ssl_cachesize: 20000
+#  tune.ssl_lifetime: 300
+haproxy_tuning_params: {}
 
 # Add extra VIPs to all services
 extra_lb_vip_addresses: []
diff --git a/releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml b/releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml
new file mode 100644
index 0000000..7ca0ddf
--- /dev/null
+++ b/releasenotes/notes/haproxy_tuning_params_released-45eb40104747561a.yaml
@@ -0,0 +1,20 @@
+---
+upgrade:
+  - |
+    If you have defined ``haproxy_tuning_params`` in your deployment, make sure
+    that before upgrade all keys are valid haproxy options. For example,
+    instead of ``chksize: 16384`` you should set ``tune.chksize: 16384``.
+    Otherwise invalid config will be generated and haproxy will fail on
+    startup.
+    No upgrade scripts are provided for this change as well as no backwards
+    compatability.
+other:
+  - |
+    Restriction on parameters that can be passed to ``haproxy_tuning_params``
+    has been released. This means, that any tuning parameter can be passed in
+    key/value format.
+fixes:
+  - |
+    By default we increase ``tune.maxrewrite`` as otherwise while using CSP
+    headers, their size could exceed allowed buffer.
+    Also deployers can override this value if needed.
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index ece82ea..bad50c0 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -7,16 +7,9 @@ global
         group haproxy
         daemon
         maxconn {{ haproxy_maxconn }}
-{% if haproxy_tuning_params is defined %}
-        nbproc {{ haproxy_tuning_params.nbproc | default('1') }}
-        tune.bufsize {{ haproxy_tuning_params.bufsize | default('384000') }}
-        tune.chksize {{ haproxy_tuning_params.chksize | default('16384') }}
-        tune.comp.maxlevel {{ haproxy_tuning_params.comp_maxlevel | default('1') }}
-        tune.http.maxhdr {{ haproxy_tuning_params.http_maxhdr | default('101') }}
-        tune.maxaccept {{ haproxy_tuning_params.maxaccept | default('64') }}
-        tune.ssl.cachesize {{ haproxy_tuning_params.ssl_cachesize | default('20000') }}
-        tune.ssl.lifetime {{ haproxy_tuning_params.ssl_lifetime | default('300') }}
-{% endif %}
+{% for key, value in ((_haproxy_default_tuning_params | default({})) | combine(haproxy_tuning_params)).items() %}
+        {{ key }} {{ value }}
+{% endfor %}
         stats socket /var/run/haproxy.stat level admin mode 600
 {% if haproxy_stats_process is defined %}
         stats bind-process {{ haproxy_stats_process }}
diff --git a/vars/main.yml b/vars/main.yml
index 31e0d56..9dc4448 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -76,3 +76,9 @@ _haproxy_pki_install_certificates: |
   {% endif %}
   {% endfor %}
   {{ _pki_install }}
+
+# In case CSP is enabled, on newer haproxy versions, header size
+# fill more than bufsize-maxrewrite, which results in 500
+# See: https://github.com/haproxy/haproxy/issues/1597
+_haproxy_default_tuning_params:
+  tune.maxrewrite: 1280