diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index 606872b..9a8c99a 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -56,14 +56,14 @@ in {
           # Empty TARGET for redirect mode
           TARGET = " ";
 
-          # Configure redirect domains
-          #REDIRECT_DOMAINS = "*.prg-radio.org";
+          # Configure redirect domains - ALL domains that should be able to redirect back after challenge
+          REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org";
 
           # Public URL for Anubis
           PUBLIC_URL = "https://anubis.prg-radio.org";
 
-          # Cookie domain for proper scoping
-          #COOKIE_DOMAIN = "*.prg-radio.org";
+          # Cookie domain for proper scoping (leading dot for all subdomains)
+          COOKIE_DOMAIN = ".prg-radio.org";
 
           # Difficulty level
           DIFFICULTY = 20;
@@ -147,6 +147,10 @@ in {
             forwardAuth = {
               address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
               trustForwardHeader = true;
+              # Forward authentication headers
+              authResponseHeaders = [
+                "X-Anubis-Authorized"
+              ];
             };
           };
         };