diff --git a/main.py b/main.py
index 68a31d5a..d8b80598 100644
--- a/main.py
+++ b/main.py
@@ -26,6 +26,7 @@ from fastapi import Depends, FastAPI, HTTPException, Request, Response
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import FileResponse, HTMLResponse, RedirectResponse
 from fastapi.staticfiles import StaticFiles
+from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware
 from sentry_sdk.integrations.fastapi import FastApiIntegration
 from sentry_sdk.integrations.sqlalchemy import SqlalchemyIntegration
 from sqlalchemy import text
@@ -119,6 +120,7 @@ app.add_middleware(
 # So we add them in REVERSE order of desired execution:
 #
 # Desired execution order:
+#   0. ProxyHeadersMiddleware     (trust X-Forwarded-Proto from Caddy)
 #   1. PlatformContextMiddleware  (detect platform from domain/path)
 #   2. StoreContextMiddleware    (detect store, uses platform_clean_path)
 #   3. FrontendTypeMiddleware     (detect frontend type using FrontendDetector)
@@ -163,9 +165,16 @@ app.add_middleware(StoreContextMiddleware)
 logger.info("Adding PlatformContextMiddleware (detects platform from domain/path)")
 app.add_middleware(PlatformContextMiddleware)
 
+# Add proxy headers middleware (runs before all other middleware)
+# Caddy proxies HTTPS → HTTP internally; this reads X-Forwarded-Proto
+# so request.scheme = "https" and url_for() generates correct URLs
+logger.info("Adding ProxyHeadersMiddleware (trust X-Forwarded-Proto from Caddy)")
+app.add_middleware(ProxyHeadersMiddleware, trusted_hosts=["*"])
+
 logger.info("=" * 80)
 logger.info("MIDDLEWARE ORDER SUMMARY:")
 logger.info("  Execution order (request →):")
+logger.info("    0. ProxyHeadersMiddleware (proxy headers)")
 logger.info("    1. LoggingMiddleware (timing)")
 logger.info("    2. PlatformContextMiddleware (platform detection)")
 logger.info("    3. StoreContextMiddleware (store detection)")