general fixes

backend/src/config.py

@@ -25,6 +25,12 @@ class Settings(BaseSettings):
     cookie_max_age: int = Field(default=28800, env="COOKIE_MAX_AGE")  # 8 hours
     cookie_name: str = Field(default="access_token", env="COOKIE_NAME")
 
+    # Proxy / TLS termination settings
+    # Enable to honor X-Forwarded-Proto when behind a reverse proxy (ingress/nginx)
+    proxy_headers: bool = Field(default=False, env="PROXY_HEADERS")
+    # Comma-separated list of trusted proxy hosts/IPs. Use "*" to trust all.
+    trusted_proxy_hosts: str = Field(default="127.0.0.1,::1", env="TRUSTED_PROXY_HOSTS")
+
     # Database settings
     database_host: str = Field(default="postgres", env="DATABASE_HOST")
     database_port: int = Field(default=5432, env="DATABASE_PORT")

backend/src/main.py

@@ -2,6 +2,7 @@ from contextlib import asynccontextmanager
 from typing import List, Optional
 from fastapi import FastAPI, Depends, Request, HTTPException, status
 from fastapi.middleware.cors import CORSMiddleware
+from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from fastapi.responses import RedirectResponse
 from sqlalchemy.ext.asyncio import AsyncSession
@@ -139,6 +140,15 @@ app = FastAPI(
     lifespan=lifespan
 )
 
+# Respect X-Forwarded-Proto/For headers when behind a reverse proxy
+if settings.proxy_headers:
+    trusted_hosts = [
+        host.strip()
+        for host in settings.trusted_proxy_hosts.split(",")
+        if host.strip()
+    ]
+    app.add_middleware(ProxyHeadersMiddleware, trusted_hosts=trusted_hosts)
+
 # Configure CORS
 app.add_middleware(
     CORSMiddleware,