diff --git a/internal/cmd/run.go b/internal/cmd/run.go
index 0a70655..f15ef99 100644
--- a/internal/cmd/run.go
+++ b/internal/cmd/run.go
@@ -28,6 +28,7 @@ func newRunCommand() *runCommand {
 	runCommand.cmd.Flags().IntVar(&globalConfig.HttpPort, "http-port", getEnvInt("HTTP_PORT", server.DefaultHttpPort), "Port to serve HTTP traffic on")
 	runCommand.cmd.Flags().IntVar(&globalConfig.HttpsPort, "https-port", getEnvInt("HTTPS_PORT", server.DefaultHttpsPort), "Port to serve HTTPS traffic on")
 	runCommand.cmd.Flags().IntVar(&globalConfig.MetricsPort, "metrics-port", getEnvInt("METRICS_PORT", 0), "Publish metrics on the specified port (default zero to disable)")
+	runCommand.cmd.Flags().BoolVar(&globalConfig.MetricsTls, "metrics-tls", getEnvBool("METRICS_TLS", false), "Enable TLS for the metrics port (default false for HTTP)")
 	runCommand.cmd.Flags().BoolVar(&globalConfig.HTTP3Enabled, "http3", false, "Enable HTTP/3")
 
 	return runCommand
diff --git a/internal/server/config.go b/internal/server/config.go
index 0314825..2b9d638 100644
--- a/internal/server/config.go
+++ b/internal/server/config.go
@@ -17,6 +17,7 @@ type Config struct {
 	HttpPort     int
 	HttpsPort    int
 	MetricsPort  int
+	MetricsTls   bool
 	HTTP3Enabled bool
 
 	AlternateConfigDir string
diff --git a/internal/server/server.go b/internal/server/server.go
index 4b336de..a4a0b91 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -196,10 +196,17 @@ func (s *Server) startMetricsServer() error {
 		Addr:    addr,
 		Handler: handler,
 	}
+	if s.config.MetricsTls {
+		s.metricsServer.TLSConfig = &tls.Config{
+			MinVersion:     tls.VersionTLS13,
+			GetCertificate: s.router.GetCertificate,
+		}
+		go s.metricsServer.ServeTLS(s.metricsListener, "", "")
+	} else {
+		go s.metricsServer.Serve(s.metricsListener)
+	}
 
-	go s.metricsServer.Serve(s.metricsListener)
-
-	slog.Info("Metrics enabled", "address", addr)
+	slog.Info("Metrics enabled", "port", s.config.MetricsPort, "TLS", s.config.MetricsTls)
 
 	return nil
 }