diff --git a/README.md b/README.md
index bbdb1ed8..7118ea17 100644
--- a/README.md
+++ b/README.md
@@ -149,17 +149,19 @@ view the admin UI at http://localhost:4747
 
 ## configuration options
 
-|env var|command line arg|description|
-|---|---|---|
-|`GONIC_MUSIC_PATH`|`-music-path`|path to your music collection (see also multi-folder support below)|
-|`GONIC_PODCAST_PATH`|`-podcast-path`|path to a podcasts directory|
-|`GONIC_CACHE_PATH`|`-cache-path`|path to store audio transcodes, covers, etc|
-|`GONIC_DB_PATH`|`-db-path`|**optional** path to database file|
-|`GONIC_LISTEN_ADDR`|`-listen-addr`|**optional** host and port to listen on (eg. `0.0.0.0:4747`, `127.0.0.1:4747`) (*default* `0.0.0.0:4747`)|
-|`GONIC_PROXY_PREFIX`|`-proxy-prefix`|**optional** url path prefix to use if behind reverse proxy. eg `/gonic` (see example configs below)|
-|`GONIC_SCAN_INTERVAL`|`-scan-interval`|**optional** interval (in minutes) to check for new music (automatic scanning disabled if omitted)|
-|`GONIC_JUKEBOX_ENABLED`|`-jukebox-enabled`|**optional** whether the subsonic [jukebox api](https://airsonic.github.io/docs/jukebox/) should be enabled|
-|`GONIC_GENRE_SPLIT`|`-genre-split`|**optional** a string or character to split genre tags on for multi-genre support (eg. `;`)|
+| env var                 | command line arg   | description                                                                                                 |
+| ----------------------- | ------------------ | ----------------------------------------------------------------------------------------------------------- |
+| `GONIC_MUSIC_PATH`      | `-music-path`      | path to your music collection (see also multi-folder support below)                                         |
+| `GONIC_PODCAST_PATH`    | `-podcast-path`    | path to a podcasts directory                                                                                |
+| `GONIC_CACHE_PATH`      | `-cache-path`      | path to store audio transcodes, covers, etc                                                                 |
+| `GONIC_DB_PATH`         | `-db-path`         | **optional** path to database file                                                                          |
+| `GONIC_LISTEN_ADDR`     | `-listen-addr`     | **optional** host and port to listen on (eg. `0.0.0.0:4747`, `127.0.0.1:4747`) (_default_ `0.0.0.0:4747`)   |
+| `GONIC_TLS_CERT`        | `-tls-cert`        | **optional** path to a TLS cert (enables HTTPS listening)                                                   |
+| `GONIC_TLS_KEY`         | `-tls-key`         | **optional** path to a TLS key (enables HTTPS listening)                                                    |
+| `GONIC_PROXY_PREFIX`    | `-proxy-prefix`    | **optional** url path prefix to use if behind reverse proxy. eg `/gonic` (see example configs below)        |
+| `GONIC_SCAN_INTERVAL`   | `-scan-interval`   | **optional** interval (in minutes) to check for new music (automatic scanning disabled if omitted)          |
+| `GONIC_JUKEBOX_ENABLED` | `-jukebox-enabled` | **optional** whether the subsonic [jukebox api](https://airsonic.github.io/docs/jukebox/) should be enabled |
+| `GONIC_GENRE_SPLIT`     | `-genre-split`     | **optional** a string or character to split genre tags on for multi-genre support (eg. `;`)                 |
 
 ## screenshots
 
diff --git a/cmd/gonic/gonic.go b/cmd/gonic/gonic.go
index 5238bb49..60a8deca 100644
--- a/cmd/gonic/gonic.go
+++ b/cmd/gonic/gonic.go
@@ -30,6 +30,8 @@ const (
 func main() {
 	set := flag.NewFlagSet(gonic.Name, flag.ExitOnError)
 	confListenAddr := set.String("listen-addr", "0.0.0.0:4747", "listen address (optional)")
+	confTLSCert := set.String("tls-cert", "", "path to TLS certificate (optional)")
+	confTLSKey := set.String("tls-key", "", "path to TLS private key (optional)")
 	confPodcastPath := set.String("podcast-path", "", "path to podcasts")
 	confCachePath := set.String("cache-path", "", "path to cache")
 	confDBPath := set.String("db-path", "gonic.db", "path to database (optional)")
@@ -125,7 +127,7 @@ func main() {
 	}
 
 	var g run.Group
-	g.Add(server.StartHTTP(*confListenAddr))
+	g.Add(server.StartHTTP(*confListenAddr, *confTLSCert, *confTLSKey))
 	g.Add(server.StartSessionClean(cleanTimeDuration))
 	g.Add(server.StartPodcastRefresher(time.Hour))
 	if *confScanInterval > 0 {
diff --git a/server/server.go b/server/server.go
index 50a7884d..92b7fd38 100644
--- a/server/server.go
+++ b/server/server.go
@@ -264,7 +264,7 @@ type (
 	FuncInterrupt func(error)
 )
 
-func (s *Server) StartHTTP(listenAddr string) (FuncExecute, FuncInterrupt) {
+func (s *Server) StartHTTP(listenAddr string, tlsCert string, tlsKey string) (FuncExecute, FuncInterrupt) {
 	list := &http.Server{
 		Addr:         listenAddr,
 		Handler:      s.router,
@@ -274,6 +274,9 @@ func (s *Server) StartHTTP(listenAddr string) (FuncExecute, FuncInterrupt) {
 	}
 	return func() error {
 			log.Print("starting job 'http'\n")
+			if tlsCert != "" && tlsKey != "" {
+				return list.ListenAndServeTLS(tlsCert, tlsKey)
+			}
 			return list.ListenAndServe()
 		}, func(_ error) {
 			// stop job