diff --git a/.gitignore b/.gitignore
index a86cc73..c157e25 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,7 @@
-*.sqlite3
+*~
 *.db
+*.bak
+*.sqlite3
+**/.DS_Store
+
+/phoenix
diff --git a/config/main.go b/config/main.go
index 2750c2e..82e6189 100644
--- a/config/main.go
+++ b/config/main.go
@@ -12,6 +12,7 @@ type Config struct {
 	LogLevel        string `default:"warning"`
 	EnableGinLogger bool   `default:"false"`
 	Production      bool   `default:"true"`
+	HeaderAuth      bool   `default:"false"`
 	DefaultUsername string
 	DefaultPassword string
 }
diff --git a/readme.md b/readme.md
index 8ba1302..8fcce85 100644
--- a/readme.md
+++ b/readme.md
@@ -8,6 +8,7 @@ Self-hosted start page without the extra stuff.
 - No javascript
 - Relatively low resource consumption (around 7 MiB of RAM)
 - Authorization support
+  - SSO via Trusted Header Auth (_Reverse Proxy_)
 
 ## Configuration
 Service settings can be set through environment variables.
@@ -19,6 +20,7 @@ Service settings can be set through environment variables.
 | P_LOGLEVEL          | Log level settings: `debug`, `info`, `warning`, `error`, `fatal` | `warning`                             |
 | P_ENABLEGINLOGGER   | Enable gin's logging middleware. Can create a lot of logs.       | `false`                               |
 | P_PRODUCTION        | Is this instance running in production mode?                     | `true`                                |
+| P_HEADERAUTH        | Enable Trusted Header Auth (SSO)                                 | `false`                               |
 | P_DEFAULTUSERNAME   | Data for the first user.                                         |                                       |
 | P_DEFAULTPASSWORD   | Data for the first user.                                         |                                       |
 
diff --git a/views/auth.go b/views/auth.go
index 61336ef..2308fe9 100644
--- a/views/auth.go
+++ b/views/auth.go
@@ -3,13 +3,14 @@ package views
 import (
 	"errors"
 	"fmt"
+	"net/http"
+	"time"
+
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/ordinary-dev/phoenix/config"
 	"github.com/ordinary-dev/phoenix/database"
 	"gorm.io/gorm"
-	"net/http"
-	"time"
 )
 
 func ShowRegistrationForm(c *gin.Context, db *gorm.DB) {
@@ -69,13 +70,23 @@ func RequireAuth(c *gin.Context, cfg *config.Config) (*jwt.RegisteredClaims, err
 func AuthMiddleware(c *gin.Context, db *gorm.DB, cfg *config.Config) {
 	claims, err := RequireAuth(c, cfg)
 	if err != nil {
-		if database.CountAdmins(db) < 1 {
-			c.Redirect(http.StatusFound, "/registration")
+		if cfg.HeaderAuth && c.Request.Header.Get("Remote-User") != "" {
+			// Generate access token.
+			token, err := GetJWTToken(cfg)
+			if err != nil {
+				ShowError(c, err)
+				return
+			}
+			SetTokenCookie(c, token)
 		} else {
-			c.Redirect(http.StatusFound, "/signin")
+			if database.CountAdmins(db) < 1 {
+				c.Redirect(http.StatusFound, "/registration")
+			} else {
+				c.Redirect(http.StatusFound, "/signin")
+			}
+			c.Abort()
+			return
 		}
-		c.Abort()
-		return
 	}
 
 	// Create a new token if the old one is about to expire