diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
index e340781..d9e9d0c 100644
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -193,7 +193,13 @@ func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	state := generateState()
 	SetTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
 	// redirect user to Idp
-	http.Redirect(w, r, auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r)), http.StatusFound)
+	url := auth.oauthConfig.AuthCodeURL(state, optRedirectPostAuth(r))
+	if IsFrontend(r) {
+		w.Header().Set("X-Redirect-To", url)
+		w.WriteHeader(http.StatusForbidden)
+	} else {
+		http.Redirect(w, r, url, http.StatusFound)
+	}
 }
 
 func parseClaims(idToken *oidc.IDToken) (*IDTokenClaims, error) {
diff --git a/internal/auth/utils.go b/internal/auth/utils.go
index 5fb043b..5b38cec 100644
--- a/internal/auth/utils.go
+++ b/internal/auth/utils.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"net"
 	"net/http"
 	"time"
 
@@ -16,7 +17,15 @@ var (
 )
 
 func IsFrontend(r *http.Request) bool {
-	return r.Host == common.APIHTTPAddr
+	return requestRemoteIP(r) == "127.0.0.1"
+}
+
+func requestRemoteIP(r *http.Request) string {
+	ip, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		return ""
+	}
+	return ip
 }
 
 func requestHost(r *http.Request) string {