InvalidAuthenticityToken Error when running behind Caddy reverse proxy

For being able to use LetsEncrypt certificates, I’m running Caddy as a reverse proxy in front of apache2 as the setup for DNS challenge is easy with Caddy.
I get a basic OOD installation running without problems. I only had to put OIDCXForwardedHeaders: "X-Forwarded-Host X-Forwarded-Proto" into oidc_settings of ood_portal.yml.j2.

However, when trying to launch a Jupyter app, I see the following error in my logs:

ActionController::InvalidAuthenticityToken (HTTP Origin header (https://ondemand.myorg.de) didn't match request.base_url (http://ondemand.myorg.de)):

I assume that this is the first time I do a true HTTP POST and this is where a CSRF protection kicks in…

Is there a way to make it known to PUN that it’s OK to allow http__S__://ondemand.myorg.de as well?

I was missing the following lines in my ood_portal.yml

custom_location_directives:
  - 'RequestHeader set X-Forwarded-Proto "https"'