diff --git a/config.go b/config.go
index e338d7e..72b763a 100644
--- a/config.go
+++ b/config.go
@@ -362,6 +362,9 @@ func (a *goBlog) initConfig() error {
 	return nil
 }
 
-func (a *goBlog) httpsConfigured() bool {
-	return a.cfg.Server.PublicHTTPS || a.cfg.Server.SecurityHeaders || strings.HasPrefix(a.cfg.Server.PublicAddress, "https")
+func (a *goBlog) httpsConfigured(checkAddress bool) bool {
+	return a.cfg.Server.PublicHTTPS ||
+		a.cfg.Server.TailscaleHTTPS ||
+		a.cfg.Server.SecurityHeaders ||
+		(checkAddress && strings.HasPrefix(a.cfg.Server.PublicAddress, "https"))
 }
diff --git a/http.go b/http.go
index b82739d..a4c517a 100644
--- a/http.go
+++ b/http.go
@@ -2,7 +2,6 @@ package main
 
 import (
 	"compress/flate"
-	"crypto/tls"
 	"database/sql"
 	"errors"
 	"fmt"
@@ -20,7 +19,6 @@ import (
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/net/context"
-	"tailscale.com/client/tailscale"
 )
 
 const (
@@ -45,7 +43,7 @@ func (a *goBlog) startServer() (err error) {
 		h = h.Append(a.logMiddleware)
 	}
 	h = h.Append(middleware.Recoverer, middleware.Compress(flate.DefaultCompression), middleware.Heartbeat("/ping"))
-	if a.cfg.Server.PublicHTTPS || a.cfg.Server.SecurityHeaders {
+	if a.httpsConfigured(false) {
 		h = h.Append(a.securityHeaders)
 	}
 	finalHandler := h.Then(a.d)
@@ -82,10 +80,7 @@ func (a *goBlog) startServer() (err error) {
 		s.Addr = ":https"
 		if a.cfg.Server.TailscaleHTTPS {
 			// HTTPS via Tailscale
-			s.TLSConfig = &tls.Config{
-				GetCertificate: tailscale.GetCertificate,
-			}
-			if err = s.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+			if err = a.startTailscaleHttps(s); err != nil {
 				return err
 			}
 		} else {
diff --git a/sessions.go b/sessions.go
index 9ad67ad..cdebfc9 100644
--- a/sessions.go
+++ b/sessions.go
@@ -32,7 +32,7 @@ func (a *goBlog) initSessions() {
 	a.loginSessions = &dbSessionStore{
 		codecs: securecookie.CodecsFromPairs([]byte(a.cfg.Server.JWTSecret)),
 		options: &sessions.Options{
-			Secure:   a.httpsConfigured(),
+			Secure:   a.httpsConfigured(true),
 			HttpOnly: true,
 			SameSite: http.SameSiteLaxMode,
 			MaxAge:   int((7 * 24 * time.Hour).Seconds()),
@@ -43,7 +43,7 @@ func (a *goBlog) initSessions() {
 	a.captchaSessions = &dbSessionStore{
 		codecs: securecookie.CodecsFromPairs([]byte(a.cfg.Server.JWTSecret)),
 		options: &sessions.Options{
-			Secure:   a.httpsConfigured(),
+			Secure:   a.httpsConfigured(true),
 			HttpOnly: true,
 			SameSite: http.SameSiteLaxMode,
 			MaxAge:   int((24 * time.Hour).Seconds()),
diff --git a/tailscale.go b/tailscale.go
new file mode 100644
index 0000000..c554209
--- /dev/null
+++ b/tailscale.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"crypto/tls"
+	"net/http"
+
+	"tailscale.com/client/tailscale"
+)
+
+func (a *goBlog) startTailscaleHttps(s *http.Server) error {
+	s.Addr = ":https"
+	s.TLSConfig = &tls.Config{
+		GetCertificate: tailscale.GetCertificate,
+	}
+	if err := s.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+		return err
+	}
+	return nil
+}