diff --git a/backend/app.js b/backend/app.js
index db017e7dea..69973bafbf 100644
--- a/backend/app.js
+++ b/backend/app.js
@@ -12,6 +12,7 @@ var indexRouter = require('./routes/index');
 var authRouter = require('./routes/auth');
 
 var app = express();
+app.set('trust proxy', 1);
 
 app.locals.pluralize = require('pluralize');
 
@@ -29,7 +30,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use('/', indexRouter);
 app.use('/', authRouter);
@@ -64,7 +69,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use('/', indexRouter);
 app.use('/', authRouter);
@@ -72,7 +81,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use(passport.authenticate('session'));
 // catch 404 and forward to error handler
@@ -96,7 +109,11 @@ app.use(session({
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
-  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' })
+  store: new SQLiteStore({ db: 'sessions.db', dir: './var/db' }),
+  cookie: {
+    secure: true,
+    httpOnly: true
+  }
 }));
 app.use(passport.authenticate('session'));
 // catch 404 and forward to error handler