diff --git a/.infra/files/nginx.conf b/.infra/files/nginx.conf
index 22d058a..c0bccf8 100644
--- a/.infra/files/nginx.conf
+++ b/.infra/files/nginx.conf
@@ -5,13 +5,20 @@ server {
     listen 443 ssl;
     listen [::]:443 ipv6only=on ssl;
 
-    ssl_certificate /etc/letsencrypt/live/master.tus.io/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/master.tus.io/privkey.pem;
+    ssl_certificate         /etc/letsencrypt/live/master.tus.io/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/master.tus.io/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/master.tus.io/fullchain.pem;
 
     # Load custom parameters for Diffie Hellman key exchange to avoid the usage
     # of common primes
     ssl_dhparam /etc/nginx/dhparams.pem;
 
+    # Enable OCSP stapling which allows clients to verify that our certificate
+    # is not revoked without contacting the Certificate Authority by appending a
+    # CA-signed promise, that it's still valid, to the TLS handshake response.
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
     server_name master.tus.io;
 
     # certbot will place the files required for the HTTP challenge in the