diff --git a/testapp/nginx.conf b/testapp/nginx.conf
index 4cf667c772c127924170b926731b08b7286ae13f..284a5fd3a336f7b14ad7793867351f6a7d35d2a5 100644
--- a/testapp/nginx.conf
+++ b/testapp/nginx.conf
@@ -2,6 +2,8 @@
 pid nginx.pid;
 error_log nginx.err.log;
 
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+
 events {
 	worker_connections 768;
 }
@@ -16,6 +18,9 @@ http {
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
+	ssl on;
+	ssl_certificate ../devcert.crt;
+	ssl_certificate_key ../devcert.key;
 	server {
 		#listen 50004;
 		#listen [::]:5004;
@@ -28,21 +33,23 @@ http {
 		location /test {
 			auth_request /oauthproxy/auth;
 			auth_request_set $auth_header $upstream_http_REMOTE_USER;
-			proxy_set_header REMOTE_USER $auth_header;
+			more_clear_input_headers REMOTE-USER; # prevent spoofing
+			proxy_set_header REMOTE-USER $auth_header;
 			proxy_pass http://localhost:5003;
 		}
 
 		location /oauthproxy/ {
-			proxy_set_header X-REDIRECT-URI "http://localhost:5004/oauthproxy/callback";
+			proxy_set_header X-REDIRECT-URI "https://localhost:5004/oauthproxy/callback";
 			proxy_set_header X-CLIENT-ID "test";
 			proxy_set_header X-CLIENT-SECRET "testsecret";
 			proxy_set_header X-SCOPE "userinfo";
-			proxy_pass http://localhost:5002/;
+			proxy_ssl_verify off;
+			proxy_pass https://localhost:5002/;
 		}
 
 		error_page 401 = @error401;
 		location @error401 {
-			return 302 /oauthproxy/login?url=http://$http_host$request_uri;
+			return 302 /oauthproxy/login?url=https://$http_host$request_uri;
 		}
 
 	}