diff --git a/.env.example b/.env.example
index c9f5441..d5b6bf5 100644
--- a/.env.example
+++ b/.env.example
@@ -15,6 +15,9 @@ DATABASE_PASS=icyauth
 SESSION_SECRET=32 char key
 CHALLENGE_SECRET=64 char key
 
+# Set "Secure" flag on the cookie
+SESSION_SECURE=true
+
 # OpenID Connect JWT (ID token) settings
 # Private keys for JWTs are stored as files in the private directory
 JWT_ALGORITHM=RS256
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index ede6176..4448d61 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -1,4 +1,4 @@
-import { AUTO_MIGRATE, SESSION_SECRET } from '$env/static/private';
+import { AUTO_MIGRATE, SESSION_SECRET, SESSION_SECURE } from '$env/static/private';
 import { csrf } from '$lib/server/csrf';
 import { DB } from '$lib/server/drizzle';
 import { runSeeds } from '$lib/server/drizzle/seeds';
@@ -19,6 +19,9 @@ await runSeeds();
 export const handle = sequence(
 	csrf(['/oauth2/token', '/oauth2/introspect']),
 	handleSession({
-		secret: SESSION_SECRET
+		secret: SESSION_SECRET,
+		cookie: {
+			secure: SESSION_SECURE === 'true'
+		}
 	})
 );