diff --git a/internal/cookie/admin_cookie.go b/internal/cookie/admin_cookie.go
index d0e2b4b2..abc5eb3a 100644
--- a/internal/cookie/admin_cookie.go
+++ b/internal/cookie/admin_cookie.go
@@ -12,7 +12,7 @@ import (
 // SetAdminCookie sets the admin cookie in the response
 func SetAdminCookie(gc *gin.Context, token string, adminCookieSecure bool) {
 	secure := adminCookieSecure
-	httpOnly := adminCookieSecure
+	httpOnly := true
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	gc.SetCookie(constants.AdminCookieName, token, 3600, "/", host, secure, httpOnly)
@@ -37,7 +37,7 @@ func GetAdminCookie(gc *gin.Context) (string, error) {
 // DeleteAdminCookie sets the response cookie to empty
 func DeleteAdminCookie(gc *gin.Context, adminCookieSecure bool) {
 	secure := adminCookieSecure
-	httpOnly := adminCookieSecure
+	httpOnly := true
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	gc.SetCookie(constants.AdminCookieName, "", -1, "/", host, secure, httpOnly)
diff --git a/internal/cookie/cookie.go b/internal/cookie/cookie.go
index 5299461e..c9b6b674 100644
--- a/internal/cookie/cookie.go
+++ b/internal/cookie/cookie.go
@@ -13,7 +13,7 @@ import (
 // SetSession sets the session cookie in the response
 func SetSession(gc *gin.Context, sessionID string, appCookieSecure bool) {
 	secure := appCookieSecure
-	httpOnly := appCookieSecure
+	httpOnly := true
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	domain := parsers.GetDomainName(hostname)
@@ -42,7 +42,7 @@ func SetSession(gc *gin.Context, sessionID string, appCookieSecure bool) {
 // DeleteSession sets session cookies to expire
 func DeleteSession(gc *gin.Context, appCookieSecure bool) {
 	secure := appCookieSecure
-	httpOnly := appCookieSecure
+	httpOnly := true
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	domain := parsers.GetDomainName(hostname)
diff --git a/internal/cookie/mfa_session.go b/internal/cookie/mfa_session.go
index ee562273..bb09702e 100644
--- a/internal/cookie/mfa_session.go
+++ b/internal/cookie/mfa_session.go
@@ -13,7 +13,7 @@ import (
 // SetMfaSession sets the mfa session cookie in the response
 func SetMfaSession(gc *gin.Context, sessionID string, appCookieSecure bool) {
 	secure := appCookieSecure
-	httpOnly := appCookieSecure
+	httpOnly := true
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	domain := parsers.GetDomainName(hostname)
@@ -42,7 +42,7 @@ func SetMfaSession(gc *gin.Context, sessionID string, appCookieSecure bool) {
 // DeleteMfaSession deletes the mfa session cookies to expire
 func DeleteMfaSession(gc *gin.Context, appCookieSecure bool) {
 	secure := appCookieSecure
-	httpOnly := appCookieSecure
+	httpOnly := true
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	domain := parsers.GetDomainName(hostname)