framework:
  # In production with FrankenPHP, the reverse proxy (Caddy) is in the same container
  # Requests come from 127.0.0.1, so we must trust that IP to process X-Forwarded-Proto headers
  # TRUSTED_PROXIES is set in the .env file (stored in Gitea secrets)
  # Typical value for Docker: 172.18.0.0/16 (or the specific Docker network CIDR)
  # This must be provided by the PROD_ENV_FILE secret in Gitea
  trusted_proxies: '%env(TRUSTED_PROXIES)%'
  trusted_headers: ['x-forwarded-for', 'x-forwarded-proto', 'x-forwarded-host', 'x-forwarded-port']