diff --git a/auth-notes.org b/auth-notes.org
index f2d0674..522ed23 100644
--- a/auth-notes.org
+++ b/auth-notes.org
@@ -212,7 +212,7 @@ https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f
 
 this is all that's needed to enable tls
 mind blown
-** TODO somehow set cookie to httpOnly & secure
+** DONE somehow set cookie to httpOnly & secure
 with ability to disable for development session
 
 ** TODO maybe add middleware so that 401 would be a page, and not json
diff --git a/main.go b/main.go
index e6181a1..3549130 100644
--- a/main.go
+++ b/main.go
@@ -1,16 +1,21 @@
 package main
 
 import (
-    "log"
+	"log"
+	"strings"
 
-    "github.com/pocketbase/pocketbase"
+	"github.com/pocketbase/pocketbase"
 	"sunshine.industries/auth-pocketbase-attempt/middleware"
 	"sunshine.industries/auth-pocketbase-attempt/pages"
 )
 
 func main() {
 	app := pocketbase.New()
-	middleware.AddCookieSessionMiddleware(app)
+
+	servedName := app.Settings().Meta.AppUrl
+	isTlsEnabled := strings.HasPrefix(servedName, "https://")
+
+	middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
 	pages.AddPageRoutes(app)
 
     if err := app.Start(); err != nil {
diff --git a/middleware/auth.go b/middleware/auth.go
index 72a9761..234e6a9 100644
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -1,7 +1,9 @@
 package middleware
 
 import (
+	"log"
 	"net/http"
+
 	"github.com/labstack/echo/v5"
 	"github.com/pocketbase/pocketbase"
 	"github.com/pocketbase/pocketbase/apis"
@@ -13,7 +15,9 @@ import (
 
 const AuthCookieName = "Auth"
 
-func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
+func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
+	log.Println("Warning: starting server with cookie Secure = false!")
+
 	app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
 		e.Router.Use(loadAuthContextFromCookie(app))
 		return nil
@@ -25,6 +29,8 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
+			Secure: isTlsEnabled,
+			HttpOnly: true,
 		})
 		e.HttpContext.SetCookie(&http.Cookie{
 			Name: "username",
@@ -37,10 +43,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
+			Secure: isTlsEnabled,
+			HttpOnly: true,
 		})
         return nil
     })
-	app.OnBeforeServe().Add(getLogoutRoute(app))
+	app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
 }
 
 func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@@ -84,7 +92,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
 }
 
 // render and return login page with configured oauth providers
-func getLogoutRoute(app *pocketbase.PocketBase)  func(*core.ServeEvent) error {
+func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.ServeEvent) error {
 	return func (e *core.ServeEvent) error {
 		e.Router.GET("/logout", func(c echo.Context) error {
 			c.SetCookie(&http.Cookie{
@@ -92,6 +100,8 @@ func getLogoutRoute(app *pocketbase.PocketBase)  func(*core.ServeEvent) error {
 				Value: "",
 				Path: "/",
 				MaxAge: -1,
+				Secure: isTlsEnabled,
+				HttpOnly: true,
 			})
 			c.Response().Header().Add("HX-Trigger", "auth-change-event")
 			return c.JSON(http.StatusOK, map[string]string{"message": "session cookie removed"})