diff --git a/internal/outpost/proxyv2/application/session.go b/internal/outpost/proxyv2/application/session.go
index e97c581e6..a6c36ae73 100644
--- a/internal/outpost/proxyv2/application/session.go
+++ b/internal/outpost/proxyv2/application/session.go
@@ -3,6 +3,7 @@ package application
 import (
 	"fmt"
 	"math"
+	"net/http"
 	"net/url"
 	"os"
 	"path"
@@ -37,7 +38,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 		rs.SetMaxLength(math.MaxInt)
 		rs.SetKeyPrefix(RedisKeyPrefix)
 
+		rs.Options.HttpOnly = true
+		if strings.ToLower(externalHost.Scheme) == "https" {
+			rs.Options.Secure = true
+		}
 		rs.Options.Domain = *p.CookieDomain
+		rs.Options.SameSite = http.SameSiteLaxMode
 		a.log.Trace("using redis session backend")
 		return rs
 	}
@@ -51,7 +57,12 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 
 	// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
 	cs.MaxLength(math.MaxInt)
+	cs.Options.HttpOnly = true
+	if strings.ToLower(externalHost.Scheme) == "https" {
+		cs.Options.Secure = true
+	}
 	cs.Options.Domain = *p.CookieDomain
+	cs.Options.SameSite = http.SameSiteLaxMode
 	a.log.WithField("dir", dir).Trace("using filesystem session backend")
 	return cs
 }