diff --git a/src/lib/server/auth/index.ts b/src/lib/server/auth/index.ts
index f81071d..290c85c 100644
--- a/src/lib/server/auth/index.ts
+++ b/src/lib/server/auth/index.ts
@@ -88,10 +88,15 @@ export async function invalidateSession(token: string) {
 }
 
 export function setSessionCookie(event: RequestEvent, token: string, expiresAt: Date) {
+	// Use the actual request origin, not the forwarded protocol
+	// This allows Secure cookies over HTTPS but plain cookies over HTTP (NetBird, LAN)
+	const actualOrigin = event.request.headers.get('origin') ?? event.url.origin;
+	const isSecure = actualOrigin.startsWith('https:');
+
 	event.cookies.set('session', token, {
 		httpOnly: true,
 		sameSite: 'lax',
-		secure: event.url.protocol === 'https:',
+		secure: isSecure,
 		path: '/',
 		expires: expiresAt
 	});