diff --git a/development.ini b/development.ini
--- a/development.ini
+++ b/development.ini
@@ -142,6 +142,9 @@ beaker.session.key = rhodecode
 beaker.session.encrypt_key = g654dcno0-9873jhgfreyu
 beaker.session.validate_key = 9712sds2212c--zxc123
 beaker.session.timeout = 36000
+beaker.session.httponly = true
+# uncomment for https secure cookie
+beaker.session.secure = false
 
 ##auto save the session to not to use .save()
 beaker.session.auto = False