diff --git a/src/main/java/ee/ria/govsso/client/configuration/CookieConfiguration.java b/src/main/java/ee/ria/govsso/client/configuration/CookieConfiguration.java
index f0ed5e9..cad813c 100644
--- a/src/main/java/ee/ria/govsso/client/configuration/CookieConfiguration.java
+++ b/src/main/java/ee/ria/govsso/client/configuration/CookieConfiguration.java
@@ -32,6 +32,9 @@ CookieSameSiteSupplier csrfCookieSameSiteSupplier() {
 
     @Bean
     public ServletContextInitializer servletContextInitializer() {
-        return servletContext -> servletContext.getSessionCookieConfig().setName(COOKIE_NAME_SESSION);
+        return servletContext -> {
+            servletContext.getSessionCookieConfig().setName(COOKIE_NAME_SESSION);
+            servletContext.getSessionCookieConfig().setSecure(true);
+        };
     }
 }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 98c3137..ce5abd2 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -24,10 +24,6 @@ server:
   forward-headers-strategy: NONE # Under main this cannot be enabled by default, because docker-compose.yml doesn't have another proxy in front of this application that would always set X-Forwarded-For header. X-Forwarded-For value that could be set outside of your own infrastructure, cannot be trusted.
   # Use same port as govsso-session/docker-compose.yml.
   port: 11443
-  servlet:
-    session:
-      cookie:
-        secure=true:
   ssl:
     enabled: true
     key-store-password: changeit
diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
index 9f3a07b..10c5a37 100644
--- a/src/test/resources/application.yml
+++ b/src/test/resources/application.yml
@@ -18,10 +18,6 @@ management:
 
 server:
   forward-headers-strategy: NATIVE
-  servlet:
-    session:
-      cookie:
-        secure=false:
 
 spring:
   main: