diff --git a/dashcaddy-api/csrf-protection.js b/dashcaddy-api/csrf-protection.js
index 9462467..2e7661b 100644
--- a/dashcaddy-api/csrf-protection.js
+++ b/dashcaddy-api/csrf-protection.js
@@ -65,7 +65,7 @@ function csrfCookieMiddleware(req, res, next) {
   // Set cookie with the nonce (SameSite=Strict for additional protection)
   res.cookie(CSRF_COOKIE_NAME, csrfNonce, {
     httpOnly: false, // Must be readable by JavaScript for signing
-    secure: true,
+    secure: req.secure || req.protocol === 'https', // Only secure in HTTPS
     sameSite: 'strict',
     path: '/',
     maxAge: 24 * 60 * 60 * 1000 // 24 hours