diff --git a/cmd/server/main.go b/cmd/server/main.go
index 1f264ed..33771f4 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
@@ -54,7 +55,7 @@ func main() {
 		log.Info().Str("bot_login", forgejoClient.BotLogin).Msg("forgejo bot login initialized")
 	}
 
-	sessionStore := auth.NewPGStore(db, []byte(cfg.SessionSecret))
+	sessionStore := auth.NewPGStore(db, strings.HasPrefix(cfg.BaseURL, "https"), []byte(cfg.SessionSecret))
 	authService := auth.NewService(db, sessionStore, emailClient)
 
 	ctx, cancel := context.WithCancel(context.Background())
diff --git a/internal/auth/store.go b/internal/auth/store.go
index 6525a1f..5f8ba26 100644
--- a/internal/auth/store.go
+++ b/internal/auth/store.go
@@ -28,7 +28,7 @@ type PGStore struct {
 	options *sessions.Options
 }
 
-func NewPGStore(db *gorm.DB, keyPairs ...[]byte) *PGStore {
+func NewPGStore(db *gorm.DB, secure bool, keyPairs ...[]byte) *PGStore {
 	return &PGStore{
 		db:     db,
 		codecs: securecookie.CodecsFromPairs(keyPairs...),
@@ -36,6 +36,7 @@ func NewPGStore(db *gorm.DB, keyPairs ...[]byte) *PGStore {
 			Path:     "/",
 			MaxAge:   sessionMaxAge,
 			HttpOnly: true,
+			Secure:   secure,
 			SameSite: http.SameSiteLaxMode,
 		},
 	}