diff --git a/headlamp/headlamp.yaml b/headlamp/headlamp.yaml
index 2668629..5af6096 100644
--- a/headlamp/headlamp.yaml
+++ b/headlamp/headlamp.yaml
@@ -91,33 +91,15 @@ spec:
     - port: 80
       targetPort: 4466
 ---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: https-redirect
-  namespace: kube-system
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
----
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: headlamp
   namespace: kube-system
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop).
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
-  tls:
-    - hosts:
-        - headlamp.roysland.net
-      secretName: headlamp-tls
   rules:
-    - host: headlamp.roysland.net
+    - host: headlamp.local
       http:
         paths:
           - path: /
diff --git a/passbolt/passbolt.yaml b/passbolt/passbolt.yaml
index 548c9d4..826dde4 100644
--- a/passbolt/passbolt.yaml
+++ b/passbolt/passbolt.yaml
@@ -121,11 +121,6 @@ spec:
           env:
             - name: APP_FULL_BASE_URL
               value: "https://pb.roysland.net"
-            # Must match the server key on the gpg PVC (uid passbolt@yourdomain.com).
-            # Without it passbolt's config fingerprint mismatches the actual key and
-            # the GPG login handshake fails (web login loops back to the login page).
-            - name: PASSBOLT_GPG_SERVER_KEY_FINGERPRINT
-              value: "1471F6B122637CC7A95E63DCA214B492C0F7DF56"
             - name: DATASOURCES_DEFAULT_HOST
               value: "mariadb"
             - name: DATASOURCES_DEFAULT_PORT
@@ -145,12 +140,8 @@ spec:
                 secretKeyRef:
                   name: passbolt-secrets
                   key: DATASOURCES_DEFAULT_DATABASE
-            # TLS is terminated by Traefik, which forwards plain HTTP to :80.
-            # The container must NOT force its own HTTP->HTTPS redirect or it
-            # creates an infinite redirect loop. APP_FULL_BASE_URL stays https
-            # so generated links remain https.
             - name: PASSBOLT_SSL_FORCE
-              value: "false"
+              value: "true"
           ports:
             - containerPort: 80
             - containerPort: 443
@@ -179,16 +170,6 @@ spec:
     - port: 80
       targetPort: 80
 ---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: https-redirect
-  namespace: passbolt
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
----
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -196,8 +177,6 @@ metadata:
   namespace: passbolt
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
-    # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop).
-    traefik.ingress.kubernetes.io/router.middlewares: passbolt-https-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
   tls: