diff --git a/README.md b/README.md
index 96806992..1ec7792c 100644
--- a/README.md
+++ b/README.md
@@ -623,11 +623,19 @@ api:
   base_path: "/rtc"  # default "", API prefix for serve on suburl (/api => /rtc/api)
   static_dir: "www"  # default "", folder for static files (custom web interface)
   origin: "*"        # default "", allow CORS requests (only * supported)
+  tls_listen: ":1985" # default "", HTTPS port
+  tls_cert: |         # default "". PEM-encoded fullchain certificate for https
+    -----BEGIN CERTIFICATE-----
+    .....
+    -----END CERTIFICATE-----
+  tls_private_key: |  # default "". PEM-encoded private key for https
+    -----BEGIN PRIVATE KEY-----
+    .....
+    -----END PRIVATE KEY-----
 ```
 
 **PS:**
 
-- go2rtc doesn't provide HTTPS. Use [Nginx](https://nginx.org/) or [Ngrok](#module-ngrok) or [Home Assistant Add-on](#go2rtc-home-assistant-add-on) for this tasks
 - MJPEG over WebSocket plays better than native MJPEG because Chrome [bug](https://bugs.chromium.org/p/chromium/issues/detail?id=527446)
 - MP4 over WebSocket was created only for Apple iOS because it doesn't support MSE and native MP4
 
diff --git a/internal/api/api.go b/internal/api/api.go
index 09766ca5..66f738a9 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"github.com/AlexxIT/go2rtc/internal/app"
 	"github.com/rs/zerolog"
@@ -21,6 +22,9 @@ func Init() {
 			BasePath  string `yaml:"base_path"`
 			StaticDir string `yaml:"static_dir"`
 			Origin    string `yaml:"origin"`
+			TLSListen     string `yaml:"tls_listen"`
+			TLSCert       string `yaml:"tls_cert"`
+			TLSPrivateKey string `yaml:"tls_private_key"`
 		} `yaml:"api"`
 	}
 
@@ -75,6 +79,37 @@ func Init() {
 			log.Fatal().Err(err).Msg("[api] serve")
 		}
 	}()
+
+	// Initialize the HTTPS server
+	if cfg.Mod.TLSListen != "" {
+		tlsConfig := &tls.Config{}
+		if cfg.Mod.TLSCert != "" && cfg.Mod.TLSPrivateKey != "" {
+			tlsListener, err := net.Listen("tcp", cfg.Mod.TLSListen)
+			if err != nil {
+				log.Fatal().Err(err).Msg("[api] tls listen")
+				return
+			}
+			log.Info().Str("addr", cfg.Mod.TLSListen).Msg("[api] tls listen")
+
+			cert, err := tls.X509KeyPair([]byte(cfg.Mod.TLSCert), []byte(cfg.Mod.TLSPrivateKey))
+			if err != nil {
+				print(cfg.Mod.TLSCert)
+				log.Fatal().Err(err).Msg("[api] tls load cert/key")
+				return
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
+
+			tlsServer := &http.Server{
+				Handler:   Handler,
+				TLSConfig: tlsConfig,
+			}
+			go func() {
+				if err := tlsServer.ServeTLS(tlsListener, "", ""); err != nil {
+					log.Fatal().Err(err).Msg("[api] tls serve")
+				}
+			}()
+		}
+	}
 }
 
 var Handler http.Handler