diff --git a/babybuddy/settings/base.py b/babybuddy/settings/base.py
index 5b026e50..811ff882 100644
--- a/babybuddy/settings/base.py
+++ b/babybuddy/settings/base.py
@@ -268,11 +268,11 @@ if os.environ.get("SECURE_PROXY_SSL_HEADER"):
 
 # https://docs.djangoproject.com/en/4.0/topics/http/sessions/#settings
 SESSION_COOKIE_HTTPONLY = True
-# SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = bool(strtobool(os.environ.get("SESSION_COOKIE_SECURE") or "False"))
 
 # https://docs.djangoproject.com/en/4.0/ref/csrf/#settings
 CSRF_COOKIE_HTTPONLY = True
-# CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = bool(strtobool(os.environ.get("CSRF_COOKIE_SECURE") or "False"))
 CSRF_FAILURE_VIEW = "babybuddy.views.csrf_failure"
 CSRF_TRUSTED_ORIGINS = list(
     filter(None, os.environ.get("CSRF_TRUSTED_ORIGINS", "").split(","))
diff --git a/docs/configuration/security.md b/docs/configuration/security.md
index 4dcc7819..fc78f29c 100644
--- a/docs/configuration/security.md
+++ b/docs/configuration/security.md
@@ -19,6 +19,15 @@ Do not include schemes ("http" or "https") with this setting.
 - [`CSRF_TRUSTED_ORIGINS`](#csrf_trusted_origins)
 - [`SECURE_PROXY_SSL_HEADER`](#secure_proxy_ssl_header)
 
+## `CSRF_COOKIE_SECURE`
+
+*Default:* `False`
+
+If this is set to `True`, the browser CSRF cookie will be marked as "secure", which instructs the browser to only send the cookie over an HTTPS connection (never HTTP).
+
+**See also**
+- [Django's documentation on the `CSRF_COOKIE_SECURE` setting](https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-cookie-secure)
+
 ## `CSRF_TRUSTED_ORIGINS`
 
 *Default:* `None`
@@ -89,3 +98,12 @@ came in via HTTPS).
 - [Django's documentation on the SECURE_PROXY_SSL_HEADER setting](https://docs.djangoproject.com/en/4.0/ref/settings/#secure-proxy-ssl-header)
 - [`ALLOWED_HOSTS`](#allowed_hosts)
 - [`CSRF_TRUSTED_ORIGINS`](#csrf_trusted_origins)
+
+## `SESSION_COOKIE_SECURE`
+
+*Default:* `False`
+
+If this is set to `True`, the browser session cookie will be marked as "secure", which instructs the browser to only send the cookie over an HTTPS connection (never HTTP).
+
+**See also**
+- [Django's documentation on the `SESSION_COOKIE_SECURE` setting](https://docs.djangoproject.com/en/4.0/ref/settings/#session-cookie-secure)