diff --git a/changelog/unreleased/fix-insecure-option-with-default-true.md b/changelog/unreleased/fix-insecure-option-with-default-true.md
new file mode 100644
index 0000000000..c62f6156aa
--- /dev/null
+++ b/changelog/unreleased/fix-insecure-option-with-default-true.md
@@ -0,0 +1,6 @@
+Bugfix: Change the default value for PROXY_OIDC_INSECURE to false
+
+We've changed the default value for PROXY_OIDC_INSECURE to `false`.
+Previously the default values was `true` which is not acceptable since default values need to be secure.
+
+https://github.com/owncloud/ocis/pull/4601
diff --git a/ocis/pkg/init/init.go b/ocis/pkg/init/init.go
index a700bcdee6..512ba4ae69 100644
--- a/ocis/pkg/init/init.go
+++ b/ocis/pkg/init/init.go
@@ -28,7 +28,12 @@ type InsecureService struct {
 }
 
 type InsecureProxyService struct {
-	InsecureBackends bool `yaml:"insecure_backends"`
+	OIDC             InsecureProxyOIDC `yaml:"oidc"`
+	InsecureBackends bool              `yaml:"insecure_backends"`
+}
+
+type InsecureProxyOIDC struct {
+	Insecure bool `yaml:"insecure"`
 }
 
 type LdapSettings struct {
@@ -282,6 +287,9 @@ func CreateConfig(insecure, forceOverwrite bool, configPath, adminPassword strin
 		}
 		cfg.Proxy = InsecureProxyService{
 			InsecureBackends: true,
+			OIDC: InsecureProxyOIDC{
+				Insecure: true,
+			},
 		}
 
 		cfg.Thumbnails.Thumbnail.WebdavAllowInsecure = true
diff --git a/services/proxy/pkg/config/defaults/defaultconfig.go b/services/proxy/pkg/config/defaults/defaultconfig.go
index 05740a72ef..931a5c3a76 100644
--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -33,9 +33,8 @@ func DefaultConfig() *config.Config {
 			Name: "proxy",
 		},
 		OIDC: config.OIDC{
-			Issuer:   "https://localhost:9200",
-			Insecure: true,
-			//Insecure: true,
+			Issuer: "https://localhost:9200",
+
 			AccessTokenVerifyMethod: config.AccessTokenVerificationJWT,
 			UserinfoCache: config.UserinfoCache{
 				Size: 1024,