diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
index acf49b7d..44b90608 100644
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/url"
 	"slices"
+	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
@@ -199,7 +200,7 @@ func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
 	if r.URL.Path == "" {
 		r.URL.Path = OIDCAuthInitPath
 	}
-	if r.TLS == nil && r.Header.Get("X-Forwarded-Proto") != "https" {
+	if r.TLS == nil && strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https") {
 		r.URL.Scheme = "https"
 		http.Redirect(w, r, r.URL.String(), http.StatusFound)
 		return
diff --git a/internal/net/gphttp/middleware/forwardauth.go b/internal/net/gphttp/middleware/forwardauth.go
index 4c40fdec..90b16f0f 100644
--- a/internal/net/gphttp/middleware/forwardauth.go
+++ b/internal/net/gphttp/middleware/forwardauth.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/yusing/godoxy/internal/route/routes"
@@ -71,7 +72,7 @@ func (m *forwardAuthMiddleware) before(w http.ResponseWriter, r *http.Request) (
 	}
 
 	proto := "http"
-	if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {
+	if r.TLS != nil || strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https") {
 		proto = "https"
 	}
 
diff --git a/internal/net/gphttp/middleware/redirect_http.go b/internal/net/gphttp/middleware/redirect_http.go
index 0addebc3..61951f62 100644
--- a/internal/net/gphttp/middleware/redirect_http.go
+++ b/internal/net/gphttp/middleware/redirect_http.go
@@ -19,7 +19,7 @@ var RedirectHTTP = NewMiddleware[redirectHTTP]()
 
 // before implements RequestModifier.
 func (m *redirectHTTP) before(w http.ResponseWriter, r *http.Request) (proceed bool) {
-	if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {
+	if r.TLS != nil || strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https") {
 		return true
 	}