diff --git a/conf/defaults.config b/conf/defaults.config
index f9087301e8..94b0f102ca 100644
--- a/conf/defaults.config
+++ b/conf/defaults.config
@@ -981,8 +981,7 @@ $session_management_via = "session_cookie";
 $CookieSameSite = "Lax";
 
 # Set the value of the secure cookie attribute.
-# The default is 0, as 1 will not work without https.
-$CookieSecure = 0;
+$CookieSecure = 1;
 
 # If $useSessionCookie is set to 1, then a "session" cookie will be used. This
 # means that the cookie will be deleted when the browser session ends.
diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist
index c852f924be..5a19b9e0a4 100644
--- a/conf/localOverrides.conf.dist
+++ b/conf/localOverrides.conf.dist
@@ -595,8 +595,8 @@ $mail{feedbackRecipients}    = [
 #$CookieSameSite = "Lax";
 
 # Set the value of the secure cookie attribute.
-# The default is 0, as 1 will not work without https.
-#$CookieSecure = 1;
+# The default is 1, so if you are serving without https then set this to 0.
+#$CookieSecure = 0;
 
 # If $useSessionCookie is set to 1, then a "session" cookie will be used. This
 # means that the cookie will be deleted when the browser session ends.