diff --git a/backend/internal/api/install.go b/backend/internal/api/install.go
index c8f0814..0e0b9ac 100644
--- a/backend/internal/api/install.go
+++ b/backend/internal/api/install.go
@@ -210,15 +210,34 @@ func (h *InstallHandler) Configure(w http.ResponseWriter, r *http.Request) {
 }
 
 // detectPublicURL inférer l'URL publique depuis les headers de la requête entrante.
+// Traefik termine TLS en amont et communique en HTTP avec le backend.
+// On fait confiance à X-Forwarded-Proto quand il vaut "https", et on suppose
+// HTTPS pour tout domaine réel (avec un point) même si X-Forwarded-Proto est absent ou "http".
 func detectPublicURL(r *http.Request) string {
 	host := r.Header.Get("X-Forwarded-Host")
 	if host == "" {
 		host = r.Host
 	}
-	proto := "https"
-	if r.Header.Get("X-Forwarded-Proto") == "http" || (!strings.Contains(host, ".") && !strings.Contains(host, ":")) {
+
+	fwdProto := r.Header.Get("X-Forwarded-Proto")
+
+	var proto string
+	switch {
+	case fwdProto == "https":
+		proto = "https"
+	case r.TLS != nil:
+		proto = "https"
+	case strings.Contains(host, ".") &&
+		!strings.HasPrefix(host, "localhost") &&
+		!strings.HasPrefix(host, "127.") &&
+		!strings.HasPrefix(host, "10.") &&
+		!strings.HasPrefix(host, "192.168."):
+		// Domaine public → toujours HTTPS
+		proto = "https"
+	default:
 		proto = "http"
 	}
+
 	return fmt.Sprintf("%s://%s", proto, host)
 }
 
diff --git a/frontend/src/locales/en.json b/frontend/src/locales/en.json
index b79f8f1..fbc419b 100644
--- a/frontend/src/locales/en.json
+++ b/frontend/src/locales/en.json
@@ -34,7 +34,7 @@
     "sshFailed": "SSH connection failed",
     "proxmoxUrl": "Proxmox URL",
     "proxmoxToken": "Proxmox API token",
-    "proxmoxTokenHint": "Format: PVEAPIToken=user@realm!tokenid=secret",
+    "proxmoxTokenHint": "Format: PVEAPIToken=user{'@'}realm!tokenid=secret",
     "back": "Back",
     "next": "Next",
     "finish": "Complete installation",
diff --git a/frontend/src/locales/fr.json b/frontend/src/locales/fr.json
index db36433..f7386e9 100644
--- a/frontend/src/locales/fr.json
+++ b/frontend/src/locales/fr.json
@@ -34,7 +34,7 @@
     "sshFailed": "Connexion SSH échouée",
     "proxmoxUrl": "URL Proxmox",
     "proxmoxToken": "Token API Proxmox",
-    "proxmoxTokenHint": "Format : PVEAPIToken=user@realm!tokenid=secret",
+    "proxmoxTokenHint": "Format : PVEAPIToken=user{'@'}realm!tokenid=secret",
     "back": "Retour",
     "next": "Suivant",
     "finish": "Terminer l'installation",