diff --git a/server/routes/.well-known/openid-configuration.get.ts b/server/routes/.well-known/openid-configuration.get.ts
index 4e0dc85..69ff7f5 100644
--- a/server/routes/.well-known/openid-configuration.get.ts
+++ b/server/routes/.well-known/openid-configuration.get.ts
@@ -14,6 +14,11 @@ export default defineEventHandler(async (event) => {
   // The provider expects the path relative to its root
   req.url = "/.well-known/openid-configuration";
 
+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {
     callback(req, res, (err: unknown) => {
diff --git a/server/routes/oidc/[...].ts b/server/routes/oidc/[...].ts
index ec6d7be..7b0fc5a 100644
--- a/server/routes/oidc/[...].ts
+++ b/server/routes/oidc/[...].ts
@@ -17,6 +17,11 @@ export default defineEventHandler(async (event) => {
   // The provider's routes config includes the /oidc prefix,
   // so pass the full path through without stripping.
 
+  // Ensure the provider sees https when behind Traefik
+  if (!req.headers["x-forwarded-proto"]) {
+    req.headers["x-forwarded-proto"] = "https";
+  }
+
   // Hand off to oidc-provider's Connect-style callback
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {