diff --git a/frontend/src/components/layout/layout.tsx b/frontend/src/components/layout/layout.tsx
index e129092e..f9a01d88 100644
--- a/frontend/src/components/layout/layout.tsx
+++ b/frontend/src/components/layout/layout.tsx
@@ -40,11 +40,7 @@ export const Layout = () => {
     setIgnoreDomainWarning(true);
   }, [setIgnoreDomainWarning]);
 
-  if (
-    !ignoreDomainWarning &&
-    ui.warningsEnabled &&
-    !app.trustedDomains.includes(currentUrl)
-  ) {
+  if (!ignoreDomainWarning && ui.warningsEnabled && currentUrl !== app.appUrl) {
     return (
       <BaseLayout>
         <DomainWarning
diff --git a/frontend/src/schemas/app-context-schema.ts b/frontend/src/schemas/app-context-schema.ts
index a91dda77..4ad64940 100644
--- a/frontend/src/schemas/app-context-schema.ts
+++ b/frontend/src/schemas/app-context-schema.ts
@@ -24,7 +24,6 @@ const uiSchema = z.object({
 const appSchema = z.object({
   appUrl: z.string(),
   cookieDomain: z.string(),
-  trustedDomains: z.array(z.string()),
 });
 
 export const appContextSchema = z.object({
diff --git a/internal/bootstrap/app_bootstrap.go b/internal/bootstrap/app_bootstrap.go
index 50aa49ef..fc696b64 100644
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -99,7 +99,6 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
-	app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, app.runtime.AppURL)
 
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
@@ -286,9 +285,13 @@ func (app *BootstrapApp) Setup() error {
 
 	app.runtime.ConfiguredProviders = configuredProviders
 
-	// throw in tailscale if it's configured just before setting up the controllers
+	// replace the default app url with the tailscale hostname if tailscale is enabled
 	if app.services.tailscaleService != nil {
-		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
+		tailscaleUrl := "https://" + app.services.tailscaleService.GetHostname()
+		if tailscaleUrl != app.runtime.AppURL {
+			app.log.App.Info().Msg("Tailscale is enabled, replacing app url with tailscale hostname")
+			app.runtime.AppURL = tailscaleUrl
+		}
 	}
 
 	// setup router
diff --git a/internal/controller/context_controller.go b/internal/controller/context_controller.go
index 32574c99..5579c923 100644
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -58,9 +58,8 @@ type ACRUI struct {
 }
 
 type ACRApp struct {
-	AppURL         string   `json:"appUrl"`
-	CookieDomain   string   `json:"cookieDomain"`
-	TrustedDomains []string `json:"trustedDomains"`
+	AppURL       string `json:"appUrl"`
+	CookieDomain string `json:"cookieDomain"`
 }
 
 type AppContextResponse struct {
@@ -160,9 +159,8 @@ func (controller *ContextController) appContextHandler(c *gin.Context) {
 			WarningsEnabled:       controller.config.UI.WarningsEnabled,
 		},
 		App: ACRApp{
-			AppURL:         controller.runtime.AppURL,
-			CookieDomain:   controller.runtime.CookieDomain,
-			TrustedDomains: controller.runtime.TrustedDomains,
+			AppURL:       controller.runtime.AppURL,
+			CookieDomain: controller.runtime.CookieDomain,
 		},
 	})
 }
diff --git a/internal/controller/oauth_controller.go b/internal/controller/oauth_controller.go
index e01bf480..1aa84a7b 100644
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -12,7 +12,6 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
-	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"go.uber.org/dig"
 
 	"github.com/gin-gonic/gin"
@@ -314,51 +313,38 @@ func (controller *OAuthController) getCookieDomain() string {
 func (controller *OAuthController) isRedirectSafe(redirectURI string) bool {
 	u, err := url.Parse(redirectURI)
 
-	if err != nil || u.Host == "" || u.Scheme == "" {
+	if err != nil {
+		controller.log.App.Error().Err(err).Str("redirectUri", redirectURI).Msg("Failed to parse redirect URI")
 		return false
 	}
 
-	for _, allowed := range controller.runtime.TrustedDomains {
-		tu, err := url.Parse(allowed)
-		if err != nil {
-			controller.log.App.Error().Err(err).Str("allowed", allowed).Msg("Failed to parse trusted domain")
-			continue
-		}
+	if u.Scheme == "" || u.Host == "" {
+		controller.log.App.Warn().Str("redirectUri", redirectURI).Msg("Redirect URI has invalid scheme or host")
+		return false
+	}
 
-		if tu.Scheme != u.Scheme {
-			continue
-		}
+	au, err := url.Parse(controller.runtime.AppURL)
 
-		// exact match
-		if strings.EqualFold(u.Host, tu.Host) {
-			return true
-		}
+	if err != nil {
+		controller.log.App.Error().Err(err).Str("appUrl", controller.runtime.AppURL).Msg("Failed to parse app URL")
+		return false
+	}
 
-		// if subdomains are disabled, end here
-		if !controller.config.Auth.SubdomainsEnabled {
-			continue
-		}
+	if u.Scheme != au.Scheme {
+		controller.log.App.Warn().Str("redirectUri", redirectURI).Str("appUrl", controller.runtime.AppURL).Msg("Redirect URI scheme does not match app URL scheme")
+		return false
+	}
 
-		// get the root domain (e.g. tinyauth.example.com -> example.com or
-		// tinyauth.sub.example.com -> sub.example.com)
-		_, root, ok := strings.Cut(tu.Host, ".")
-		if !ok {
-			continue
-		}
+	if u.Host == au.Host {
+		return true
+	}
 
-		root = strings.ToLower(root)
+	if !controller.config.Auth.SubdomainsEnabled {
+		return false
+	}
 
-		// check if the root domain is in the psl
-		_, err = publicsuffix.DomainFromListWithOptions(publicsuffix.DefaultList, root, nil)
-
-		if err != nil {
-			continue
-		}
-
-		// subdomain match
-		if strings.HasSuffix(strings.ToLower(u.Host), "."+root) {
-			return true
-		}
+	if strings.HasSuffix(u.Host, "."+au.Host) {
+		return true
 	}
 
 	return false
diff --git a/internal/model/runtime.go b/internal/model/runtime.go
index 0df99901..e1c034d3 100644
--- a/internal/model/runtime.go
+++ b/internal/model/runtime.go
@@ -12,7 +12,6 @@ type RuntimeConfig struct {
 	OAuthProviders         map[string]OAuthServiceConfig
 	OAuthWhitelist         []string
 	ConfiguredProviders    []Provider
-	TrustedDomains         []string
 }
 
 type Provider struct {