diff --git a/main.go b/main.go
index 246e76f..bef02d5 100644
--- a/main.go
+++ b/main.go
@@ -17,10 +17,12 @@ var Version string = "0.0"
 var GitHash string = "unknown"
 
 func main() {
-	var addr, db, authfile string
+	var addr, db, authfile, certfile, keyfile string
 	var ver bool
 	flag.StringVar(&addr, "addr", "127.0.0.1:7070", "address to run server on")
 	flag.StringVar(&authfile, "auth-file", "", "path to a file containing username:password")
+	flag.StringVar(&certfile, "cert-file", "", "path to cert file for https")
+	flag.StringVar(&keyfile, "key-file", "", "path to key file for https")
 	flag.StringVar(&db, "db", "", "storage file path")
 	flag.BoolVar(&ver, "version", false, "print application version")
 	flag.Parse()
@@ -67,6 +69,10 @@ func main() {
 		}
 	}
 
+	if (certfile != "" || keyfile != "") && (certfile == "" || keyfile == "") {
+		logger.Fatalf("Both cert & key files are required")
+	}
+
 	store, err := storage.New(db, logger)
 	if err != nil {
 		logger.Fatal("Failed to initialise database: ", err)
@@ -74,11 +80,18 @@ func main() {
 
 	srv := server.New(store, logger, addr)
 
+	proto := "http"
+	if certfile != "" && keyfile != "" {
+		srv.CertFile = certfile
+		srv.KeyFile = keyfile
+		proto = "https"
+	}
+
 	if username != "" && password != "" {
 		srv.Username = username
 		srv.Password = password
 	}
 
-	logger.Printf("starting server at http://%s", addr)
+	logger.Printf("starting server at %s://%s", proto, addr)
 	platform.Start(srv)
 }
diff --git a/server/server.go b/server/server.go
index 2a16298..72f2070 100644
--- a/server/server.go
+++ b/server/server.go
@@ -20,6 +20,9 @@ type Handler struct {
 	// auth
 	Username    string
 	Password    string
+	// https
+	CertFile    string
+	KeyFile     string
 }
 
 func New(db *storage.Storage, logger *log.Logger, addr string) *Handler {
@@ -37,7 +40,13 @@ func New(db *storage.Storage, logger *log.Logger, addr string) *Handler {
 func (h *Handler) Start() {
 	h.startJobs()
 	s := &http.Server{Addr: h.Addr, Handler: h}
-	err := s.ListenAndServe()
+
+	var err error
+	if h.CertFile != "" && h.KeyFile != "" {
+		err = s.ListenAndServeTLS(h.CertFile, h.KeyFile)
+	} else {
+		err = s.ListenAndServe()
+	}
 	if err != http.ErrServerClosed {
 		h.log.Fatal(err)
 	}