diff --git a/helpers.go b/helpers.go
index 7043b53..07f12fd 100644
--- a/helpers.go
+++ b/helpers.go
@@ -25,7 +25,8 @@ func generateNonce() (string, error) {
 
 func assembleRedirectURL(scheme, host, path string) string {
 	if scheme == "" {
-		scheme = "http" // Default to http if scheme is empty
+		// infoLogger.Println("Scheme is empty, defaulting to http")
+		scheme = "http"
 	}
 	return scheme + "://" + host + path
 }
@@ -84,7 +85,7 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request)
 	}
 
 	code := req.URL.Query().Get("code")
-	redirectURL := assembleRedirectURL(req.URL.Scheme, req.Host, t.redirURLPath)
+	redirectURL := assembleRedirectURL(t.scheme, req.Host, t.redirURLPath)
 	oauth2Token, err := t.exchangeCodeForToken(ctx, code, redirectURL)
 	if err != nil {
 		// infoLogger.Printf("Failed to exchange token: %v", err)
diff --git a/main.go b/main.go
index 4d9d032..cca6707 100644
--- a/main.go
+++ b/main.go
@@ -36,6 +36,8 @@ type TraefikOidc struct {
 	tokenURL       string
 	scopes         []string
 	limiter        *rate.Limiter
+	forceHTTPS     bool
+	scheme         string
 }
 
 type ProviderMetadata struct {
@@ -71,6 +73,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		jwksURL:        metadata.JWKSURL,
 		clientID:       config.ClientID,
 		clientSecret:   config.ClientSecret,
+		forceHTTPS:     config.ForceHTTPS,
 		authURL:        metadata.AuthURL,
 		tokenURL:       metadata.TokenURL,
 		scopes:         config.Scopes,
@@ -104,8 +107,17 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		scheme = req.Header.Get("X-Forwarded-Proto")
 	}
 	if scheme == "" {
-		scheme = "http" // Default to http if not set
+		if req.TLS != nil {
+			scheme = "https"
+		} else {
+			scheme = "http"
+		}
 	}
+	if t.forceHTTPS {
+		scheme = "https"
+	}
+	t.scheme = scheme
+
 	host := req.URL.Host
 	if host == "" {
 		host = req.Header.Get("X-Forwarded-Host")
@@ -114,7 +126,11 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		host = req.Host
 	}
 
-	redirectURL := assembleRedirectURL(scheme, host, t.redirURLPath)
+	// infoLogger.Printf("Scheme: %s, Host: %s, Path: %s", scheme, host, t.redirURLPath)
+	// infoLogger.Printf("X-Forwarded-Proto: %s", req.Header.Get("X-Forwarded-Proto"))
+	// infoLogger.Printf("X-Forwarded-Host: %s", req.Header.Get("X-Forwarded-Host"))
+	redirectURL := assembleRedirectURL(t.scheme, host, t.redirURLPath)
+	// infoLogger.Printf("Final redirect URL: %s", redirectURL)
 
 	session, err := t.store.Get(req, cookie_name)
 	if err != nil {
diff --git a/settings.go b/settings.go
index 7591354..3c88856 100644
--- a/settings.go
+++ b/settings.go
@@ -15,6 +15,7 @@ type Config struct {
 	Scopes               []string `json:"scopes"`
 	LogLevel             string   `json:"logLevel"`
 	SessionEncryptionKey string   `json:"sessionEncryptionKey"`
+	ForceHTTPS           bool     `json:"forceHTTPS"`
 }
 
 func CreateConfig() *Config {