diff --git a/internal/config/config.go b/internal/config/config.go
index 8a10894..60828b2 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -2,6 +2,7 @@ package config
 
 import (
 	"fmt"
+	"net/http"
 	"os"
 	"strconv"
 	"strings"
@@ -20,6 +21,7 @@ type Config struct {
 	RateLimit       RateLimitConfig
 	CORS            CORSConfig
 	SecurityHeaders SecurityHeadersConfig
+	Cookie          CookieConfig
 }
 
 type ServerConfig struct {
@@ -78,6 +80,11 @@ type SecurityHeadersConfig struct {
 	XSSProtection         string
 }
 
+type CookieConfig struct {
+	Secure   bool
+	SameSite http.SameSite
+}
+
 func Load() (*Config, error) {
 	config := &Config{
 		Server: ServerConfig{
@@ -136,6 +143,10 @@ func Load() (*Config, error) {
 			ReferrerPolicy:      getEnv("SECURITY_REFERRER_POLICY", "strict-origin-when-cross-origin"),
 			XSSProtection:       getEnv("SECURITY_XSS_PROTECTION", "1; mode=block"),
 		},
+		Cookie: CookieConfig{
+			Secure:   false,
+			SameSite: http.SameSiteNoneMode,
+		},
 	}
 
 	if err := config.Validate(); err != nil {
diff --git a/internal/http/auth_handlers.go b/internal/http/auth_handlers.go
index c2ab7ee..89e2690 100644
--- a/internal/http/auth_handlers.go
+++ b/internal/http/auth_handlers.go
@@ -28,7 +28,7 @@ func NewAuthHandlers(authService services.AuthService, logger *logger.Logger, cf
 }
 
 func (h *AuthHandlers) getCookieSettings() (secure bool, sameSite http.SameSite) {
-	return false, http.SameSiteDefaultMode
+	return h.config.Cookie.Secure, h.config.Cookie.SameSite
 }
 
 func (h *AuthHandlers) setSecureCookie(w http.ResponseWriter, name, value string, maxAge int) {