diff --git a/src/app/api/admin/login/route.ts b/src/app/api/admin/login/route.ts
index 74e7dce..0d10302 100644
--- a/src/app/api/admin/login/route.ts
+++ b/src/app/api/admin/login/route.ts
@@ -51,9 +51,12 @@ export async function POST(request: Request) {
 
   const token = deriveSessionToken(process.env.ADMIN_PASSWORD)
   const response = NextResponse.json({ ok: true })
+  // Secure flag: on by default in production, but can be disabled via
+  // COOKIE_SECURE=false in .env when running behind an HTTP-only proxy.
+  const secureCookie = process.env.COOKIE_SECURE !== 'false' && process.env.NODE_ENV === 'production'
   response.cookies.set('admin_token', token, {
     httpOnly: true,
-    secure:   process.env.NODE_ENV === 'production',
+    secure:   secureCookie,
     sameSite: 'strict',
     maxAge:   60 * 60 * 24 * 7, // 7 days
     path:     '/',