diff --git a/internal/config/config.go b/internal/config/config.go
index cc8a38b444bd9f54f5884348025e58ca8c15fd7b..8e54cac549e73ac3d5dcfa17224399c9522a2ee3 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -2,6 +2,7 @@ package config
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	log "github.com/sirupsen/logrus"
@@ -22,6 +23,7 @@ var defaultConfig = Config{
 			Enabled:      true, // The default is that TLS is enabled if cert and key are given, this is checked later; we must set true here, because otherwise we cannot distinct this from a false set by the user
 			RedirectHTTP: true,
 		},
+		Secure: true,
 	},
 	DB: DBConf{
 		Hosts:             []string{"localhost"},
@@ -158,6 +160,7 @@ type serverConf struct {
 	Hostname string  `yaml:"hostname"`
 	Port     int     `yaml:"port"`
 	TLS      tlsConf `yaml:"tls"`
+	Secure   bool    `yaml:"-"` // Secure indicates if the connection to the mytoken server is secure. This is independent of TLS, e.g. a Proxy can be used.
 }
 
 type tlsConf struct {
@@ -217,6 +220,12 @@ func validate() error {
 	if conf == nil {
 		return fmt.Errorf("config not set")
 	}
+	if conf.IssuerURL == "" {
+		return fmt.Errorf("invalid config:issuer_url not set")
+	}
+	if strings.HasPrefix(conf.IssuerURL, "http://") {
+		conf.Server.Secure = false
+	}
 	if conf.Server.Hostname == "" {
 		return fmt.Errorf("invalid config: server.hostname not set")
 	}
diff --git a/internal/endpoints/revocation/revocationEndpoint.go b/internal/endpoints/revocation/revocationEndpoint.go
index 036eb2f5d6cf9e6b98a9429e58e734187fe6ade5..332f2e97f562c87905b9da8ec8a43c90b40cdf8a 100644
--- a/internal/endpoints/revocation/revocationEndpoint.go
+++ b/internal/endpoints/revocation/revocationEndpoint.go
@@ -46,7 +46,7 @@ func HandleRevoke(ctx *fiber.Ctx) error {
 				Value:    "",
 				Path:     "/api",
 				Expires:  time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC),
-				Secure:   config.Get().Server.TLS.Enabled,
+				Secure:   config.Get().Server.Secure,
 				HTTPOnly: true,
 				SameSite: "Strict",
 			}},
diff --git a/internal/oidc/authcode/authcode.go b/internal/oidc/authcode/authcode.go
index 2a6b84398a3810d4aa56813fc273cdbe08b52094..88b195c4cb7cc05dff37f0560ec75b013fcdc9ee 100644
--- a/internal/oidc/authcode/authcode.go
+++ b/internal/oidc/authcode/authcode.go
@@ -244,7 +244,7 @@ func CodeExchange(oState *state.State, code string, networkData api.ClientMetaDa
 			Value:    cookieValue,
 			Path:     "/api",
 			MaxAge:   cookieAge,
-			Secure:   config.Get().Server.TLS.Enabled,
+			Secure:   config.Get().Server.Secure,
 			HTTPOnly: true,
 			SameSite: "Strict",
 		}},