diff --git a/cluster/staging/app/garage/config/garage.toml b/cluster/staging/app/garage/config/garage.toml
index 6c92bf3..01eb237 100644
--- a/cluster/staging/app/garage/config/garage.toml
+++ b/cluster/staging/app/garage/config/garage.toml
@@ -25,6 +25,7 @@ tls_skip_verify = true
 [s3_api]
 s3_region = "garage-staging"
 api_bind_addr = "0.0.0.0:3990"
+root_domain = ".garage.staging.deuxfleurs.org"
 
 [k2v_api]
 api_bind_addr = "0.0.0.0:3993"
diff --git a/cluster/staging/app/garage/deploy/garage.hcl b/cluster/staging/app/garage/deploy/garage.hcl
index 67655e4..7a7b44b 100644
--- a/cluster/staging/app/garage/deploy/garage.hcl
+++ b/cluster/staging/app/garage/deploy/garage.hcl
@@ -84,7 +84,9 @@ job "garage-staging" {
         tags = [
           "garage-staging-api",
           "tricot garage.staging.deuxfleurs.org",
+          "tricot *.garage.staging.deuxfleurs.org",
           "tricot-add-header Access-Control-Allow-Origin *",
+          "tricot-on-demand-tls-ask http://garage-staging-admin.service.staging.consul:3909/check",
           "tricot-site-lb",
         ]
         port = "s3"
@@ -119,10 +121,16 @@ job "garage-staging" {
         name = "garage-staging-web"
         tags = [
             "garage-staging-web",
+            "tricot * 1",
             "tricot *.web.staging.deuxfleurs.org",
             "tricot staging.deuxfleurs.org",
             "tricot matrix.home.adnab.me/.well-known/matrix/server",
+            "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
+            "tricot-add-header X-Frame-Options SAMEORIGIN",
+            "tricot-add-header X-XSS-Protection 1; mode=block",
+            "tricot-add-header X-Content-Type-Options nosniff",
             "tricot-add-header Access-Control-Allow-Origin *",
+            "tricot-on-demand-tls-ask http://garage-staging-admin.service.staging.consul:3909/check",
             "tricot-site-lb",
         ]
         port = "web"