diff --git a/internal/api/api.go b/internal/api/api.go
index 2df8a24..780e309 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -36,17 +36,28 @@ func Run(config types.Config, users types.UserList) {
 
 	domain, domainErr := utils.GetRootURL(config.AppURL)
 
-	log.Info().Str("domain", domain).Msg("Using domain")
+	log.Info().Str("domain", domain).Msg("Using domain for cookies")
 
 	if domainErr != nil {
 		log.Fatal().Err(domainErr).Msg("Failed to get domain")
 		os.Exit(1)
 	}
+
+	var isSecure bool
+
+	if config.CookieSecure {
+		isSecure = true
+	} else {
+		isSecure = false
+	}
 	
 	store.Options(sessions.Options{
 		Domain: fmt.Sprintf(".%s", domain),
 		Path: "/",
+		HttpOnly: true,
+		Secure: isSecure,
 	})
+	
   	router.Use(sessions.Sessions("tinyauth", store))
 
 	router.Use(func(c *gin.Context) {
diff --git a/internal/types/types.go b/internal/types/types.go
index 053cd81..2fa9aac 100644
--- a/internal/types/types.go
+++ b/internal/types/types.go
@@ -25,6 +25,7 @@ type Config struct {
 	AppURL string `validate:"required,url" mapstructure:"app-url"`
 	Users string `mapstructure:"users"`
 	UsersFile string `mapstructure:"users-file"`
+	CookieSecure bool `mapstructure:"cookie-secure"`
 }
 
 type UserContext struct {