diff --git a/src/middleware/csrf-protection.middleware.js b/src/middleware/csrf-protection.middleware.js
index 53cc2a55..4da885a1 100644
--- a/src/middleware/csrf-protection.middleware.js
+++ b/src/middleware/csrf-protection.middleware.js
@@ -75,9 +75,12 @@ function setCsrfToken(req, res, next) {
   if (!req.cookies['csrf-token']) {
     const token = generateCsrfToken();
 
+    //Check if we're behind a proxy (X-Forwarded-Proto header)
+    const isSecure = req.secure || req.headers['x-forwarded-proto'] === 'https';
+
     res.cookie('csrf-token', token, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: isSecure && process.env.NODE_ENV === 'production',
       sameSite: 'strict',
       maxAge: 24 * 60 * 60 * 1000  // 24 hours
     });