diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml
index ff21178c06..26be40b09a 100644
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@@ -145,6 +145,10 @@ parameters:
     default: 0
     description: Number of workers for Horizon service.
     type: number
+  HorizonHstsHeaderValue:
+    default: []
+    description: Enables HTTP Strict-Transport-Security header in response.
+    type: comma_delimited_list
 
 parameter_groups:
 - label: deprecated
@@ -168,6 +172,8 @@ conditions:
       - {get_param: HorizonDebug}
   horizon_workers_set:
     not: {equals : [{get_param: HorizonWorkers}, 0]}
+  horizon_hsts_header_value_set:
+    not: {equals : [{get_param: HorizonHstsHeaderValue}, []]}
 
 resources:
 
@@ -277,6 +283,10 @@ outputs:
               data:
                 sources:
                   - {get_param: HorizonLoggingSource}
+        haproxy:
+          if:
+            - horizon_hsts_header_value_set
+            - tripleo::profile::base::horizon::hsts_header_value: {get_param: HorizonHstsHeaderValue}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: horizon
diff --git a/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml b/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
new file mode 100644
index 0000000000..93ef19b405
--- /dev/null
+++ b/releasenotes/notes/horizon-hsts-43ac1c7b602a4381.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The new ``HorizonHstsHeaderValue`` parameter has been added. When this
+    parameter is set, haproxy adds HTTP Strict-Transport-Security header to
+    HTTP response to enforce SSL.