diff --git a/src/auth/identification.py b/src/auth/identification.py
index ab265525..ef52b936 100644
--- a/src/auth/identification.py
+++ b/src/auth/identification.py
@@ -116,7 +116,8 @@ def _read_client_token(self, request_handler):
     def _write_client_token(self, client_id, request_handler):
         expiry_time = date_utils.get_current_millis() + days_to_ms(self.EXPIRES_DAYS)
         new_token = client_id + '&' + str(expiry_time)
-        request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS)
+        server_config = request_handler.application.server_config
+        request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS, secure=server_config.cookie_secure, httponly=server_config.cookie_httponly)
 
     def _can_write(self, request_handler):
         return can_write_secure_cookie(request_handler)
diff --git a/src/auth/tornado_auth.py b/src/auth/tornado_auth.py
index 05b741a0..1fa35d0f 100644
--- a/src/auth/tornado_auth.py
+++ b/src/auth/tornado_auth.py
@@ -88,7 +88,8 @@ def authenticate(self, request_handler):
 
         LOGGER.info('Authenticated user ' + username)
 
-        request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days)
+        server_config = request_handler.application.server_config
+        request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days, httponly=server_config.cookie_httponly, secure=server_config.cookie_secure)
 
         path = tornado.escape.url_unescape(request_handler.get_argument('next', '/'))
 
diff --git a/src/model/server_conf.py b/src/model/server_conf.py
index c3cf0de3..51788e5b 100644
--- a/src/model/server_conf.py
+++ b/src/model/server_conf.py
@@ -45,6 +45,8 @@ def __init__(self) -> None:
         self.xsrf_protection = None
         # noinspection PyTypeChecker
         self.env_vars: EnvVariables = None
+        self.cookie_secure = True
+        self.cookie_httponly = True
 
     def get_port(self):
         return self.port
@@ -201,6 +203,8 @@ def from_json(conf_path, temp_folder):
 
     security = model_helper.read_dict(json_object, 'security')
 
+    config.cookie_secure = model_helper.read_bool_from_config('cookie_secure', security, default=True)
+    config.cookie_httponly = model_helper.read_bool_from_config('cookie_httponly', security, default=True)
     config.allowed_users = _prepare_allowed_users(allowed_users, admin_users, user_groups)
     config.alerts_config = json_object.get('alerts')
     config.callbacks_config = json_object.get('callbacks')
diff --git a/src/web/server.py b/src/web/server.py
index 08c4389d..693f7eca 100755
--- a/src/web/server.py
+++ b/src/web/server.py
@@ -864,6 +864,11 @@ def init(server_config: ServerConfig,
         'websocket_ping_timeout': 300,
         'compress_response': True,
         'xsrf_cookies': server_config.xsrf_protection != XSRF_PROTECTION_DISABLED,
+        'xsrf_cookie_kwargs': {
+            'httponly': server_config.cookie_httponly, 
+            'secure': server_config.cookie_secure,
+            'samesite': 'Lax'
+        },
     }
 
     application = tornado.web.Application(handlers, **settings)