diff --git a/cli/start.go b/cli/start.go
index 1c89bf8e20b7a..47a2032f15ff1 100644
--- a/cli/start.go
+++ b/cli/start.go
@@ -56,6 +56,7 @@ func start() *cobra.Command {
 		tlsMinVersion          string
 		useTunnel              bool
 		traceDatadog           bool
+		secureAuthCookie       bool
 	)
 	root := &cobra.Command{
 		Use: "start",
@@ -132,6 +133,7 @@ func start() *cobra.Command {
 				Database:             databasefake.New(),
 				Pubsub:               database.NewPubsubInMemory(),
 				GoogleTokenValidator: validator,
+				SecureAuthCookie:     secureAuthCookie,
 			}
 
 			if !dev {
@@ -334,6 +336,7 @@ func start() *cobra.Command {
 	cliflag.BoolVarP(root.Flags(), &useTunnel, "tunnel", "", "CODER_DEV_TUNNEL", true, "Serve dev mode through a Cloudflare Tunnel for easy setup")
 	_ = root.Flags().MarkHidden("tunnel")
 	cliflag.BoolVarP(root.Flags(), &traceDatadog, "trace-datadog", "", "CODER_TRACE_DATADOG", false, "Send tracing data to a datadog agent")
+	cliflag.BoolVarP(root.Flags(), &secureAuthCookie, "secure-auth-cookie", "", "CODER_SECURE_AUTH_COOKIE", false, "Specifies if the 'Secure' property is set on browser session cookies")
 
 	return root
 }
diff --git a/coderd/coderd.go b/coderd/coderd.go
index e8836eeef7232..0eac01793eb76 100644
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@@ -29,6 +29,8 @@ type Options struct {
 
 	AWSCertificates      awsidentity.Certificates
 	GoogleTokenValidator *idtoken.Validator
+
+	SecureAuthCookie bool
 }
 
 // New constructs the Coder API into an HTTP handler.
diff --git a/coderd/users.go b/coderd/users.go
index e5db601ad2828..8d413b9cdc05a 100644
--- a/coderd/users.go
+++ b/coderd/users.go
@@ -417,6 +417,7 @@ func (api *api) postLogin(rw http.ResponseWriter, r *http.Request) {
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
+		Secure:   api.SecureAuthCookie,
 	})
 
 	render.Status(r, http.StatusCreated)