diff --git a/src/middleware/index.js b/src/middleware/index.js
index fedd035ad3..9722c42690 100644
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -32,7 +32,11 @@ middleware.regexes = {
 };
 
 middleware.applyCSRF = csrf({
-	cookie: true,
+	cookie: nconf.get('url_parsed').protocol === 'https:' ? {
+		secure: true,
+		sameSite: 'Strict',
+		httpOnly: true,
+	} : true,
 });
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
diff --git a/test/mocks/databasemock.js b/test/mocks/databasemock.js
index 6536af0d63..4e26093aa8 100644
--- a/test/mocks/databasemock.js
+++ b/test/mocks/databasemock.js
@@ -119,6 +119,7 @@ before(async function () {
 	// Parse out the relative_url and other goodies from the configured URL
 	const urlObject = url.parse(nconf.get('url'));
 	const relativePath = urlObject.pathname !== '/' ? urlObject.pathname : '';
+	nconf.set('url_parsed', urlObject);
 	nconf.set('base_url', urlObject.protocol + '//' + urlObject.host);
 	nconf.set('secure', urlObject.protocol === 'https:');
 	nconf.set('use_port', !!urlObject.port);