diff --git a/.env.dist b/.env.dist
index e71888f..f397dfb 100644
--- a/.env.dist
+++ b/.env.dist
@@ -6,11 +6,13 @@
 APP_ENV=dev
 APP_SECRET=changethis
 APP_NAME=mineseeker
-# TRUSTED_PROXIES: Only needed for bare-metal dev behind a reverse proxy
-# For Docker development, this is set in compose.override.yaml
-# For production, set in PROD_ENV_FILE Gitea secret (use 172.18.0.0/16 initially)
-#TRUSTED_PROXIES=127.0.0.1,127.0.0.2
-#TRUSTED_HOSTS=localhost,example.com
+# APP_PUBLIC_HOSTNAME: The public hostname for your application (used for generating absolute URLs in emails)
+# For production, set this to your domain (e.g., mineseeker.com)
+APP_PUBLIC_HOSTNAME=localhost
+# TRUSTED_PROXIES: IPs/CIDRs of trusted reverse proxies (needed for correct URL scheme detection in emails)
+# For Docker development, this is overridden in compose.override.yaml to "0.0.0.0/0"
+# For production, set to your proxy's IP or Docker network CIDR (e.g., 172.18.0.0/16)
+TRUSTED_PROXIES=127.0.0.1
 ###< symfony/framework-bundle ###
 
 ###> doctrine/doctrine-bundle ###
diff --git a/compose.yaml b/compose.yaml
index 5ef6a66..6e02160 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -11,6 +11,7 @@ services:
       SERVER_NAME: ${SERVER_NAME:-:80}
       APP_ENV: prod
       APP_SECRET: ${APP_SECRET}
+      APP_PUBLIC_HOSTNAME: ${APP_PUBLIC_HOSTNAME:-localhost}
       APP_CONTACT_MAIL_ADDRESS: ${APP_CONTACT_MAIL_ADDRESS:-7system7@gmail.com}
       DATABASE_URL: >-
         postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}?serverVersion=${POSTGRES_VERSION}&charset=utf8
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index 2c3a026..d087f1d 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -8,6 +8,11 @@ framework:
   session:
     handler_id: ~
 
+  # Trust headers from reverse proxy (Caddy)
+  # This ensures absolute_url() uses HTTPS scheme when behind a reverse proxy
+  trusted_proxies: '%env(TRUSTED_PROXIES)%'
+  trusted_headers: ['x-forwarded-for', 'x-forwarded-proto', 'x-forwarded-host', 'x-forwarded-port']
+
   #esi: true
   #fragments: true
   php_errors: