diff --git a/janitor/runtime/src/main/java/org/pagan/janitor/JanitorConfig.java b/janitor/runtime/src/main/java/org/pagan/janitor/JanitorConfig.java
index dec231b..3c3363e 100644
--- a/janitor/runtime/src/main/java/org/pagan/janitor/JanitorConfig.java
+++ b/janitor/runtime/src/main/java/org/pagan/janitor/JanitorConfig.java
@@ -75,5 +75,11 @@ public class JanitorConfig {
      */
     @ConfigItem(defaultValue = "false")
     public boolean csrfInCookie;
+    
+    /**
+     * CSRF cookie will be used as secure
+     */
+    @ConfigItem(defaultValue = "true")
+    public boolean secureCsrfInCookie;
 
 }
diff --git a/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheConfig.java b/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheConfig.java
index 6322b8a..3402b6b 100644
--- a/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheConfig.java
+++ b/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheConfig.java
@@ -13,6 +13,7 @@ public class SessionCacheConfig {
     public String cookieName;
     public String csrfName;
     public boolean csrfInCookie;
+    public boolean secureCsrfInCookie;
     public Long sessionLifetime;
     
     public void setConfig(JanitorConfig config) {
@@ -20,6 +21,7 @@ public class SessionCacheConfig {
         this.csrfName = config.csrfName;
         this.csrfInCookie = config.csrfInCookie;
         this.sessionLifetime = config.sessionLifetime;
+        this.secureCsrfInCookie = config.secureCsrfInCookie;
     }
     
 }
diff --git a/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheImpl.java b/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheImpl.java
index c7b6bf6..1b5e70a 100644
--- a/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheImpl.java
+++ b/janitor/runtime/src/main/java/org/pagan/janitor/cache/SessionCacheImpl.java
@@ -63,11 +63,11 @@ public class SessionCacheImpl implements SessionCache {
         put(sessionId, sessionInfo);
         ResponseBuilder builder = Response.ok().cookie(new NewCookie(config.cookieName,
                 sessionId, "/", null, null, config.sessionLifetime.intValue(),
-                false, true));
+                config.secureCsrfInCookie, true));
         if (config.csrfInCookie) {
             builder.cookie(new NewCookie(config.csrfName,
                 sessionInfo.csrfToken(), "/", null, null, config.sessionLifetime.intValue(),
-                false, true));
+                config.secureCsrfInCookie, true));
         } else {
             builder.header(config.csrfName, sessionInfo.csrfToken());
         }