diff --git a/Taskfile.yml b/Taskfile.yml
index 45a8f29..8c65120 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -127,7 +127,7 @@ tasks:
     desc: Runs end-to-end test on a live server (only for use in CI)
     cmds:
       - cd backend && go build ./app/api
-      - backend/api &
+      - HBOX_OPTIONS_HEADER_SSO_ENABLED=1 HBOX_OPTIONS_HEADER_SSO_ALLOWED_IP=127.0.0.1 backend/api &
       - sleep 5
       - cd frontend && pnpm run test:ci
     silent: true
diff --git a/frontend/lib/api/__test__/user/trusted_headers.test.ts b/frontend/lib/api/__test__/user/trusted_headers.test.ts
new file mode 100644
index 0000000..a213015
--- /dev/null
+++ b/frontend/lib/api/__test__/user/trusted_headers.test.ts
@@ -0,0 +1,39 @@
+import { describe, expect, test } from "vitest";
+
+import { PublicApi } from "../../public";
+import * as config from "../../../../test/config";
+import { Requests } from "../../../requests";
+import { overrideParts } from "../../base/urls";
+
+describe("trusted header handling", () => {
+  overrideParts(config.BASE_URL, "/api/v1");
+  const requests = new Requests("");
+  const pub = new PublicApi(requests);
+
+  test("basic login using HTTP headers", async () => {
+    const ssoHeaders = {
+      "Remote-Email": "test@test.com",
+      "Remote-Name": "Test User",
+      "Remote-Groups": "admins,local",
+    };
+
+    const response = await pub.login_sso_header(ssoHeaders);
+    expect(response.error).toBeFalsy();
+  }, 20000);
+
+  test("basic login using HTTP headers fails no headers", async () => {
+    const ssoHeaders = {};
+
+    const response = await pub.login_sso_header(ssoHeaders);
+    expect(response.error).toBeTruthy();
+  }, 20000);
+
+  test("basic login using HTTP headers empty email header", async () => {
+    const ssoHeaders = {
+      "Remote-Email": "",
+    };
+
+    const response = await pub.login_sso_header(ssoHeaders);
+    expect(response.error).toBeTruthy();
+  }, 20000);
+});
diff --git a/frontend/lib/api/public.ts b/frontend/lib/api/public.ts
index d88361c..631a967 100644
--- a/frontend/lib/api/public.ts
+++ b/frontend/lib/api/public.ts
@@ -24,15 +24,18 @@ export class PublicApi extends BaseAPI {
     });
   }
 
-  public login_sso_header() {
+  // headers parameter only here for unit testing
+  public login_sso_header(headers = {}) {
+    const testHeaders = {
+      /** TODO: remove headers here. Only for testing. Usually the SSO servie will add this */
+      // "Remote-Email": "demo3@example.com",
+      // "Remote-Name": "Fritz3",
+      // "Remote-Groups": "admins,local",
+    };
+    const queryHeaders = { ...headers, ...testHeaders };
     return this.http.post<string, TokenResponse>({
       url: route("/users/login-sso-header"),
-      /** TODO: remove header here. Only for testing. Usually the SSO servie will add this */
-      headers: {
-        "Remote-Email": "demo3@example.com",
-        "Remote-Name": "Fritz3",
-        "Remote-Groups": "admins,local",
-      },
+      headers: queryHeaders,
     });
   }