diff --git a/modules/m0/dns.tf b/modules/m0/dns.tf
index 1ce7946..d9211ad 100644
--- a/modules/m0/dns.tf
+++ b/modules/m0/dns.tf
@@ -108,6 +108,18 @@ resource "azurerm_dns_txt_record" "m0_asuid" {
   }
 }
 
+# Azure verification key
+resource "azurerm_dns_txt_record" "m0_www_asuid" {
+  name                = "asuid.www"
+  resource_group_name = azurerm_resource_group.dns_rg.name
+  zone_name           = azurerm_dns_zone.m0_zone.name
+  ttl                 = 300
+
+  record {
+    value = azurerm_linux_web_app.frontend.custom_domain_verification_id
+  }
+}
+
 # https://github.com/hashicorp/terraform-provider-azurerm/issues/14642#issuecomment-1084728235
 # Currently, the azurerm provider doesn't give us the IP address, so we need to fetch it ourselves.
 data "dns_a_record_set" "m0_dns_fetch" {
diff --git a/modules/m0/main.tf b/modules/m0/main.tf
index 0428a19..a71393a 100644
--- a/modules/m0/main.tf
+++ b/modules/m0/main.tf
@@ -121,16 +121,32 @@ resource "azurerm_app_service_custom_hostname_binding" "m0_hostname_binding" {
     azurerm_dns_txt_record.m0_asuid
   ]
 }
+
+resource "azurerm_app_service_custom_hostname_binding" "m0_www_hostname_binding" {
+  hostname            = "www.${local.fqdn}"
+  app_service_name    = azurerm_linux_web_app.frontend.name
+  resource_group_name = var.web_resource_group_name
+
+  # Deletion may need manual work.
+  # https://github.com/hashicorp/terraform-provider-azurerm/issues/11231
+  # TODO: Add dependencies for creation
+  depends_on = [
+    azurerm_dns_cname_record.www_cname,
+    azurerm_dns_txt_record.m0_www_asuid
+  ]
+}
+
 resource "random_password" "m0_cert_password" {
   length  = 48
   special = false
 }
 
 resource "acme_certificate" "m0_acme_cert" {
-  account_key_pem          = var.acme_account_key
-  common_name              = local.fqdn
-  key_type                 = "2048" # RSA
-  certificate_p12_password = random_password.m0_cert_password.result
+  account_key_pem           = var.acme_account_key
+  common_name               = local.fqdn
+  key_type                  = "2048" # RSA
+  certificate_p12_password  = random_password.m0_cert_password.result
+  subject_alternative_names = ["www.${local.fqdn}"]
 
   dns_challenge {
     provider = "azure"
@@ -154,3 +170,9 @@ resource "azurerm_app_service_certificate_binding" "m0_cert_binding" {
   hostname_binding_id = azurerm_app_service_custom_hostname_binding.m0_hostname_binding.id
   ssl_state           = "SniEnabled"
 }
+
+resource "azurerm_app_service_certificate_binding" "m0_www_cert_binding" {
+  certificate_id      = azurerm_app_service_certificate.m0_cert.id
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.m0_www_hostname_binding.id
+  ssl_state           = "SniEnabled"
+}
diff --git a/modules/web/dns.tf b/modules/web/dns.tf
index f9a9f81..2a69294 100644
--- a/modules/web/dns.tf
+++ b/modules/web/dns.tf
@@ -12,6 +12,7 @@ terraform {
 locals {
   fqdn = "${var.subdomain}.${var.root_zone_name}"
 }
+
 # A record for the web app
 resource "azurerm_dns_a_record" "tikweb_a" {
   name                = var.subdomain
@@ -33,7 +34,6 @@ resource "azurerm_dns_txt_record" "tikweb_asuid" {
   }
 }
 
-
 # Reporting-only DMARC policy
 resource "azurerm_dns_txt_record" "tikweb_dmarc" {
   name                = "_dmarc.${var.subdomain}"