diff --git a/network-security/index.ts b/network-security/index.ts
index b39ee12..f6ed544 100644
--- a/network-security/index.ts
+++ b/network-security/index.ts
@@ -7,6 +7,7 @@ import {
   RateLimitMiddleware,
   IpAllowListMiddleware,
   IpAllowListMiddlewareTCP,
+  TLSOptions,
 } from "./traefik";
 import { ValkeyCluster } from "./valkey";
 import { InternalIngressRoute, PrivateCertificate } from "../utils";
@@ -67,6 +68,11 @@ export class NetworkSecurity extends TerraformStack {
       name: "rate-limit",
     });
 
+    new TLSOptions(this, "tls-options", {
+      provider: kubernetes,
+      namespace,
+    });
+
     new IpAllowListMiddleware(this, "internal-ip-allow-list", {
       provider: kubernetes,
       namespace,
diff --git a/network-security/traefik/index.ts b/network-security/traefik/index.ts
index 0c29d72..3e84db1 100644
--- a/network-security/traefik/index.ts
+++ b/network-security/traefik/index.ts
@@ -1,2 +1,3 @@
 export { RateLimitMiddleware } from "./rateLimit";
 export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
+export { TLSOptions } from "./tlsOpts";
diff --git a/network-security/traefik/tlsOpts.ts b/network-security/traefik/tlsOpts.ts
new file mode 100644
index 0000000..3dbc6e8
--- /dev/null
+++ b/network-security/traefik/tlsOpts.ts
@@ -0,0 +1,31 @@
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+export class TLSOptions extends Construct {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: { provider: KubernetesProvider; namespace: string },
+  ) {
+    super(scope, id);
+
+    const { provider, namespace } = opts;
+
+    new Manifest(this, "traefik-tls-options", {
+      provider,
+      manifest: {
+        apiVersion: "traefik.io/v1alpha1",
+        kind: "TLSOption",
+        metadata: {
+          namespace,
+          name: "tls-options",
+        },
+        spec: {
+          minVersion: "VersionTLS13",
+          sniStrict: true,
+        },
+      },
+    });
+  }
+}
diff --git a/utils/traefik/ingress/ingress.ts b/utils/traefik/ingress/ingress.ts
index e90ff86..36f5cd4 100644
--- a/utils/traefik/ingress/ingress.ts
+++ b/utils/traefik/ingress/ingress.ts
@@ -110,6 +110,10 @@ export class IngressRoute extends Construct {
     if (opts.tlsSecretName) {
       spec.tls = {
         secretName: opts.tlsSecretName,
+        options: {
+          name: "tls-options",
+          namespace: "homelab",
+        },
       };
     }