diff --git a/server/routes/.well-known/openid-configuration.get.ts b/server/routes/.well-known/openid-configuration.get.ts
index 69ff7f5..8afa4af 100644
--- a/server/routes/.well-known/openid-configuration.get.ts
+++ b/server/routes/.well-known/openid-configuration.get.ts
@@ -14,10 +14,8 @@ export default defineEventHandler(async (event) => {
   // The provider expects the path relative to its root
   req.url = "/.well-known/openid-configuration";
 
-  // Ensure the provider sees https when behind Traefik
-  if (!req.headers["x-forwarded-proto"]) {
-    req.headers["x-forwarded-proto"] = "https";
-  }
+  // Traefik terminates TLS — tell the provider we're on https
+  req.headers["x-forwarded-proto"] = "https";
 
   const callback = provider.callback() as Function;
   await new Promise<void>((resolve, reject) => {
diff --git a/server/routes/oidc/[...].ts b/server/routes/oidc/[...].ts
index 7b0fc5a..39528f0 100644
--- a/server/routes/oidc/[...].ts
+++ b/server/routes/oidc/[...].ts
@@ -17,10 +17,8 @@ export default defineEventHandler(async (event) => {
   // The provider's routes config includes the /oidc prefix,
   // so pass the full path through without stripping.
 
-  // Ensure the provider sees https when behind Traefik
-  if (!req.headers["x-forwarded-proto"]) {
-    req.headers["x-forwarded-proto"] = "https";
-  }
+  // Traefik terminates TLS — tell the provider we're on https
+  req.headers["x-forwarded-proto"] = "https";
 
   // Hand off to oidc-provider's Connect-style callback
   const callback = provider.callback() as Function;