diff --git a/frontend/src/components/layout/layout.tsx b/frontend/src/components/layout/layout.tsx
index f9a01d88..3139022f 100644
--- a/frontend/src/components/layout/layout.tsx
+++ b/frontend/src/components/layout/layout.tsx
@@ -3,6 +3,7 @@ import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
 import { QuickActions } from "../quick-actions/quick-actions";
+import { isTrustedDomain } from "@/lib/hooks/redirect-uri";
 
 const BaseLayout = ({ children }: { children: React.ReactNode }) => {
   const { ui } = useAppContext();
@@ -40,7 +41,18 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (!ignoreDomainWarning && ui.warningsEnabled && currentUrl !== app.appUrl) {
+  const isTrusted = (() => {
+    try {
+      const appUrlObj = new URL(app.appUrl);
+      const currentUrlObj = new URL(currentUrl);
+
+      return isTrustedDomain(currentUrlObj, appUrlObj, "", false);
+    } catch {
+      return false;
+    }
+  })();
+
+  if (!ignoreDomainWarning && ui.warningsEnabled && !isTrusted) {
     return (
       <BaseLayout>
         <DomainWarning
diff --git a/frontend/src/lib/hooks/redirect-uri.ts b/frontend/src/lib/hooks/redirect-uri.ts
index 305673b5..c4fc9a12 100644
--- a/frontend/src/lib/hooks/redirect-uri.ts
+++ b/frontend/src/lib/hooks/redirect-uri.ts
@@ -88,7 +88,7 @@ const getEffectivePort = (url: URL): string => {
   return "80";
 };
 
-const isTrustedDomain = (
+export const isTrustedDomain = (
   url: URL,
   appUrl: URL,
   cookieDomain: string,
diff --git a/internal/utils/app_utils.go b/internal/utils/app_utils.go
index 00adf246..7d30e63a 100644
--- a/internal/utils/app_utils.go
+++ b/internal/utils/app_utils.go
@@ -9,7 +9,9 @@ import (
 	"github.com/weppos/publicsuffix-go/publicsuffix"
 )
 
-// Get cookie domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
+// GetCookieDomain parses the app url and returns the domain value to use for cookies.
+// When auth for subdomains is enabled, it strips the leftmost label
+// (e.g. sub1.sub2.domain.com -> sub2.domain.com), otherwise it returns the full hostname.
 func GetCookieDomain(appUrl string, subdomainsEnabled bool) (string, error) {
 	u, err := url.Parse(appUrl)
 
diff --git a/internal/utils/app_utils_test.go b/internal/utils/app_utils_test.go
index e4525335..296c168a 100644
--- a/internal/utils/app_utils_test.go
+++ b/internal/utils/app_utils_test.go
@@ -54,7 +54,7 @@ func TestGetRootDomain(t *testing.T) {
 	// Domain managed by ICANN
 	domain = "http://example.co.uk"
 	_, err = utils.GetCookieDomain(domain, true)
-	assert.Error(t, err, "domain in public suffix list, cannot set cookies")
+	assert.ErrorContains(t, err, "domain in public suffix list, cannot set cookies")
 
 	// Domain without subdomain
 	domain = "http://tinyauth.app"