diff --git a/README.md b/README.md
index d04c5a4a5..8ef178f78 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,9 @@ api:
   # Make sure to add {public_url}/auth/callback to the OAuth2 Redirect URLs of your application in the Discord dev portal
   public_url: "http://localhost:5173/api"
 
+  # Make sure to enable this when you don't have an SSL (HTTPS) certificate
+  insecure_cookies: true
+
   host: "localhost"
   port: 8080
 
@@ -138,6 +141,7 @@ services:
       - "8080:8080"
     environment:
       - EMBEDG_API__HOST=0.0.0.0
+      - EMBEDG_API__INSECURE_COOKIES=true
       - EMBEDG_POSTGRES__HOST=postgres
       - EMBEDG_POSTGRES__USER=postgres
       - EMBEDG_POSTGRES__DB=embedg
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 3358f9c4b..30cea6d4d 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -36,6 +36,7 @@ services:
       - "8080:8080"
     environment:
       - EMBEDG_API__HOST=0.0.0.0
+      - EMBEDG_API__INSECURE_COOKIES=true
       - EMBEDG_POSTGRES__HOST=postgres
       - EMBEDG_POSTGRES__USER=postgres
       - EMBEDG_POSTGRES__DB=embedg
diff --git a/embedg-server/api/handlers/auth/handler.go b/embedg-server/api/handlers/auth/handler.go
index 10ce21838..f41811bbb 100644
--- a/embedg-server/api/handlers/auth/handler.go
+++ b/embedg-server/api/handlers/auth/handler.go
@@ -170,7 +170,7 @@ func setOauthStateCookie(c *fiber.Ctx) string {
 		Name:     "oauth_state",
 		Value:    state,
 		HTTPOnly: true,
-		Secure:   true,
+		Secure:   !viper.GetBool("api.insecure_cookies"),
 	})
 	return state
 }
diff --git a/embedg-server/api/session/session.go b/embedg-server/api/session/session.go
index 3115a63c4..7008c3a07 100644
--- a/embedg-server/api/session/session.go
+++ b/embedg-server/api/session/session.go
@@ -12,6 +12,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/merlinfuchs/embed-generator/embedg-server/db/postgres"
 	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
 )
 
 type Session struct {
@@ -88,7 +89,7 @@ func (s *SessionManager) CreateSessionCookie(c *fiber.Ctx, token string) {
 		Name:     "session_token",
 		Value:    token,
 		HTTPOnly: true,
-		Secure:   true,
+		Secure:   !viper.GetBool("api.insecure_cookies"),
 		SameSite: "strict",
 		Expires:  time.Now().UTC().Add(30 * 24 * time.Hour),
 	})