diff --git a/integration/auth_oidc_test.go b/integration/auth_oidc_test.go
index d0929c4e..6fbdd9e4 100644
--- a/integration/auth_oidc_test.go
+++ b/integration/auth_oidc_test.go
@@ -68,6 +68,7 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 		spec,
 		hsic.WithTestName("oidcauthping"),
 		hsic.WithConfigEnv(oidcMap),
+		hsic.WithTLS(),
 		hsic.WithHostnameAsServerURL(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(oidcConfig.ClientSecret)),
 	)
@@ -299,6 +300,10 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 				loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
 				loginURL.Scheme = "http"
 
+				if len(headscale.GetCert()) > 0 {
+					loginURL.Scheme = "https"
+				}
+
 				insecureTransport := &http.Transport{
 					TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // nolint
 				}
diff --git a/integration/auth_web_flow_test.go b/integration/auth_web_flow_test.go
index 2eacd276..3ef31422 100644
--- a/integration/auth_web_flow_test.go
+++ b/integration/auth_web_flow_test.go
@@ -2,6 +2,7 @@ package integration
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -41,7 +42,13 @@ func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 		"user2": len(MustTestVersions),
 	}
 
-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("webauthping"))
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		hsic.WithTestName("webauthping"),
+		hsic.WithEmbeddedDERPServerOnly(),
+		hsic.WithTLS(),
+		hsic.WithHostnameAsServerURL(),
+	)
 	assertNoErrHeadscaleEnv(t, err)
 
 	allClients, err := scenario.ListTailscaleClients()
@@ -275,7 +282,16 @@ func (s *AuthWebFlowScenario) runHeadscaleRegister(userStr string, loginURL *url
 	loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
 	loginURL.Scheme = "http"
 
-	httpClient := &http.Client{}
+	if len(headscale.GetCert()) > 0 {
+		loginURL.Scheme = "https"
+	}
+
+	insecureTransport := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // nolint
+	}
+	httpClient := &http.Client{
+		Transport: insecureTransport,
+	}
 	ctx := context.Background()
 	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
 	resp, err := httpClient.Do(req)
diff --git a/integration/cli_test.go b/integration/cli_test.go
index aa34dc47..2b81e814 100644
--- a/integration/cli_test.go
+++ b/integration/cli_test.go
@@ -405,7 +405,14 @@ func TestPreAuthKeyCorrectUserLoggedInCommand(t *testing.T) {
 		user2: 0,
 	}
 
-	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipak"))
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		[]tsic.Option{},
+		hsic.WithTestName("clipak"),
+		hsic.WithEmbeddedDERPServerOnly(),
+		hsic.WithTLS(),
+		hsic.WithHostnameAsServerURL(),
+	)
 	assertNoErr(t, err)
 
 	headscale, err := scenario.Headscale()