diff --git a/docs/usage.rst b/docs/usage.rst
index 294fdb05ef1c66f6c3a68046983dc3d55cbd1728..61538833808e24e68334d3e4b71b6733320b701d 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -1072,6 +1072,12 @@ complex - namely they are not meant to be used directly, but instead as a
 dependency for a custom role. They do come with decent amount of batteries
 included, and also play nice with the web server role.
 
+As mentioned before, all roles will enforce TLS by default. The web server roles
+will additionaly implement HSTS policy by sending connecting clients
+``Strict-Transport-Security`` header with value set to ``max-age=31536000;
+includeSubDomains`` (if you disable enforcement of TLS, the header will not be
+sent).
+
 With all the above noted, let us finally move on to the next step.