diff --git a/pkg/authentication/authenticate.go b/pkg/authentication/authenticate.go
index 29879c6..93e5edf 100644
--- a/pkg/authentication/authenticate.go
+++ b/pkg/authentication/authenticate.go
@@ -27,6 +27,7 @@ type Authenticator[T Ctx] struct {
 	sessions          Sessions[T]
 	encryptionKey     string
 	sessionCookieName string
+	externalSecure    bool
 }
 
 // Option allows customization of the [Authenticator] such as logging and more.
@@ -55,6 +56,13 @@ func WithSessionCookieName[T Ctx](cookieName string) Option[T] {
 	}
 }
 
+// WithExternalSecure allows using https redirects when the service is behind a reverse proxy.
+func WithExternalSecure[T Ctx](externalSecure bool) Option[T] {
+	return func(a *Authenticator[T]) {
+		a.externalSecure = externalSecure
+	}
+}
+
 func New[T Ctx](ctx context.Context, zitadel *zitadel.Zitadel, encryptionKey string, initAuthentication HandlerInitializer[T], options ...Option[T]) (*Authenticator[T], error) {
 	authN, err := initAuthentication(ctx, zitadel)
 	if err != nil {
@@ -143,7 +151,7 @@ func (a *Authenticator[T]) Logout(w http.ResponseWriter, req *http.Request) {
 	a.deleteSessionCookie(w)
 
 	proto := "http"
-	if req.TLS != nil {
+	if req.TLS != nil || a.externalSecure {
 		proto = "https"
 	}
 	postLogout := fmt.Sprintf("%s://%s/", proto, req.Host)