diff --git a/hosts/sin/jellyfin.nix b/hosts/sin/jellyfin.nix
index 59affd3..3f9edeb 100644
--- a/hosts/sin/jellyfin.nix
+++ b/hosts/sin/jellyfin.nix
@@ -84,6 +84,7 @@ in
       group = "starr";
       settings = {
         authentication.AuthenticationMethod = "external";
+        authentication.AuthenticationType = "enabled";
       };
     };
     radarr = {
diff --git a/hosts/thea/authelia.nix b/hosts/thea/authelia.nix
index 6f0bee7..f2b92ef 100644
--- a/hosts/thea/authelia.nix
+++ b/hosts/thea/authelia.nix
@@ -49,6 +49,10 @@ in
         access_control = {
           default_policy = "deny";
           rules = [
+            {
+              domain = "radarr.shobu.fr";
+              policy = "bypass";
+            }
             {
               domain = "*.shobu.fr";
               policy = "one_factor";
diff --git a/hosts/thea/nginx.nix b/hosts/thea/nginx.nix
index 87ed1b5..a5fef14 100644
--- a/hosts/thea/nginx.nix
+++ b/hosts/thea/nginx.nix
@@ -63,6 +63,23 @@ in
               extraConfig = ''
                 include ${authelia-snippets.proxy};
                 include ${authelia-snippets.authelia-authrequest};
+
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+
+                # From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f
+                # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
+                add_header Strict-Transport-Security "max-age=63072000; preload" always;
+                add_header Referrer-Policy strict-origin-when-cross-origin; 
+                add_header X-Content-Type-Options nosniff;
+                add_header X-XSS-Protection "1; mode=block";
+                add_header X-Frame-Options SAMEORIGIN;
+                add_header Content-Security-Policy upgrade-insecure-requests;
+                add_header Permissions-Policy interest-cohort=();
+                add_header Expect-CT 'enforce; max-age=604800';
+                more_set_headers 'Server: Proxy';
+                more_clear_headers 'X-Powered-By';
+
                 proxy_ssl_server_name on;
               '';
             };
@@ -137,9 +154,16 @@ in
             enableACME = true;
             forceSSL = true;
 
+            extraConfig = ''
+              # include ${authelia-snippets.authelia-location};
+              # error_log /var/log/nginx/debug_files.log debug;
+            '';
+
             locations."/" = {
               proxyPass = "http://${sin-address}:8086";
               extraConfig = ''
+                # include ${authelia-snippets.proxy};
+                # include ${authelia-snippets.authelia-authrequest};
                 proxy_set_header X-Real-IP $remote_addr;
                 client_max_body_size 100M;
               '';