diff --git a/hosts/Hevana/default.nix b/hosts/Hevana/default.nix
index 81ed8cf..ce0f5f0 100644
--- a/hosts/Hevana/default.nix
+++ b/hosts/Hevana/default.nix
@@ -236,7 +236,7 @@ in
         };
       };
       webdav = {
-        enable = false;
+        enable = true;
         home = "${services-root}/webdav";
         url = config.secrets.services.webdav.url;
         users = config.secrets.services.webdav.users;
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 0d47e9a..707a180 100644
Binary files a/modules/secrets/default.nix and b/modules/secrets/default.nix differ
diff --git a/modules/services/webdav.nix b/modules/services/webdav.nix
index 2e6dde1..3b7d102 100644
--- a/modules/services/webdav.nix
+++ b/modules/services/webdav.nix
@@ -43,6 +43,7 @@ in
           port = port;
           scope = cfg.home;
           users = cfg.users;
+          behindProxy = true;
         };
       };
 
@@ -60,6 +61,32 @@ in
       };
     };
 
+    environment.etc = lib.mkIf config.services.fail2ban.enable {
+      "fail2ban/filter.d/webdav.conf".text = ''
+        [INCLUDES]
+        before = common.conf
+
+        [Definition]
+        # Failregex to match "invalid password" and extract remote_address only
+        failregex = ^.*invalid password\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+        # Failregex to match "invalid username" and extract remote_address only (if applicable)
+        failregex += ^.*invalid username\s*\{.*"remote_address":\s*"<HOST>"\s*\}
+
+        ignoreregex =
+      '';
+
+      "fail2ban/jail.d/webdav.conf".text = ''
+        [webdav]
+        enabled = true
+        port = ${builtins.toString port}
+        filter = webdav
+        logpath = /var/log/webdav/fail2ban.log
+        banaction = iptables-allports
+        ignoreself = false
+      '';
+    };
+
     systemd.services = {
       webdav.unitConfig.RequiresMountsFor = cfg.home;
       nginx.wants = [ config.systemd.services.webdav.name ];