diff --git a/backend/.env b/backend/.env
index 06c87ee..828a504 100644
--- a/backend/.env
+++ b/backend/.env
@@ -49,6 +49,9 @@ JWT_PASSPHRASE=d75959918d9ccc5c89c62edbd6e6c6af82d6e2a3d303c53a6f3328e94a05b60a
 ###> App ###
 # Portal-Domain (für On-Demand-TLS-Autorisierung). In Prod auf die echte Domain setzen.
 APP_PORTAL_DOMAIN=localhost
+# Reverse-Proxy, dem X-Forwarded-* vertraut wird. Dev: kein echter Proxy → leer.
+# Prod (.env.prod.local): das private Netz von Caddy, z. B. 10.0.0.0/16.
+TRUSTED_PROXIES=127.0.0.1
 ###< App ###
 
 ###> S3 / Object Storage (Druck-Assets) ###
diff --git a/backend/config/packages/framework.yaml b/backend/config/packages/framework.yaml
index 7e1ee1f..1ddfe5c 100644
--- a/backend/config/packages/framework.yaml
+++ b/backend/config/packages/framework.yaml
@@ -2,6 +2,11 @@
 framework:
     secret: '%env(APP_SECRET)%'
 
+    # Hinter Caddy (Reverse-Proxy): dessen X-Forwarded-Proto/Host vertrauen, damit
+    # generierte Absolut-URLs (QR, Wallet-Barcode) https + richtige Domain nutzen.
+    trusted_proxies: '%env(TRUSTED_PROXIES)%'
+    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
+
     # Note that the session will be started ONLY if you read or write from it.
     session: true