diff --git a/internal/configs/version1/nginx-plus.ingress.tmpl b/internal/configs/version1/nginx-plus.ingress.tmpl
index d7c139e164..b843d047bd 100644
--- a/internal/configs/version1/nginx-plus.ingress.tmpl
+++ b/internal/configs/version1/nginx-plus.ingress.tmpl
@@ -53,9 +53,7 @@ server {
 	proxy_pass_header {{$proxyPassHeader}};{{end}}
 	{{end}}
 
-	{{if $server.SSL}}
-	{{if not $server.GRPCOnly}}
-	{{- if $server.HSTS}}
+	{{- if and $server.HSTS (or $server.SSL $server.HSTSBehindProxy)}}
 	set $hsts_header_val "";
 	proxy_hide_header Strict-Transport-Security;
 	{{- if $server.HSTSBehindProxy}}
@@ -69,6 +67,8 @@ server {
 	add_header Strict-Transport-Security "$hsts_header_val" always;
 	{{end}}
 
+	{{if $server.SSL}}
+	{{if not $server.GRPCOnly}}
 	{{- if $server.SSLRedirect}}
 	if ($scheme = http) {
 		return 301 https://$host:{{index $server.SSLPorts 0}}$request_uri;
diff --git a/internal/configs/version1/nginx.ingress.tmpl b/internal/configs/version1/nginx.ingress.tmpl
index d8ba9ff021..e60bd0c0a8 100644
--- a/internal/configs/version1/nginx.ingress.tmpl
+++ b/internal/configs/version1/nginx.ingress.tmpl
@@ -39,9 +39,7 @@ server {
 	{{range $proxyPassHeader := $server.ProxyPassHeaders}}
 	proxy_pass_header {{$proxyPassHeader}};{{end}}
 
-	{{if $server.SSL}}
-	{{if not $server.GRPCOnly}}
-	{{- if $server.HSTS}}
+	{{- if and $server.HSTS (or $server.SSL $server.HSTSBehindProxy)}}
 	set $hsts_header_val "";
 	proxy_hide_header Strict-Transport-Security;
 	{{- if $server.HSTSBehindProxy}}
@@ -55,6 +53,8 @@ server {
 	add_header Strict-Transport-Security "$hsts_header_val" always;
 	{{end}}
 
+	{{if $server.SSL}}
+	{{if not $server.GRPCOnly}}
 	{{- if $server.SSLRedirect}}
 	if ($scheme = http) {
 		return 301 https://$host:{{index $server.SSLPorts 0}}$request_uri;