diff --git a/production.ini b/production.ini
--- a/production.ini
+++ b/production.ini
@@ -142,6 +142,9 @@ beaker.session.key = rhodecode
 beaker.session.encrypt_key = g654dcno0-9873jhgfreyu
 beaker.session.validate_key = 9712sds2212c--zxc123
 beaker.session.timeout = 36000
+beaker.session.httponly = true
+# uncomment for https secure cookie
+beaker.session.secure = false
 
 ##auto save the session to not to use .save()
 beaker.session.auto = False
@@ -255,4 +258,4 @@ datefmt = %Y-%m-%d %H:%M:%S
 [formatter_color_formatter_sql]
 class=rhodecode.lib.colored_formatter.ColorFormatterSql
 format= %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
-datefmt = %Y-%m-%d %H:%M:%S
\ No newline at end of file
+datefmt = %Y-%m-%d %H:%M:%S