diff --git a/deploy/deploy-test-server.sh b/deploy/deploy-test-server.sh
index 118dc4c..e820840 100755
--- a/deploy/deploy-test-server.sh
+++ b/deploy/deploy-test-server.sh
@@ -130,6 +130,7 @@ if [ ! -f /etc/left4me/web.env ]; then
         printf 'DATABASE_URL=sqlite:////var/lib/left4me/left4me.db\n'
         printf 'SECRET_KEY=%s\n' "$secret_key"
         printf 'JOB_WORKER_THREADS=4\n'
+        printf 'SESSION_COOKIE_SECURE=false\n'
     } > "$tmp_web_env"
     $sudo_cmd install -m 0640 -o root -g left4me "$tmp_web_env" /etc/left4me/web.env
 fi
diff --git a/l4d2web/app.py b/l4d2web/app.py
index a2442e9..34375ec 100644
--- a/l4d2web/app.py
+++ b/l4d2web/app.py
@@ -38,7 +38,11 @@ def create_app(test_config: dict[str, object] | None = None) -> Flask:
     if not app.config.get("TESTING") and (not secret_key or secret_key == "dev"):
         raise RuntimeError("SECRET_KEY must be set to a non-default value outside of testing")
 
-    app.config["SESSION_COOKIE_SECURE"] = not app.config.get("TESTING", False)
+    secure_env = os.getenv("SESSION_COOKIE_SECURE")
+    if secure_env is not None:
+        app.config["SESSION_COOKIE_SECURE"] = secure_env.lower() not in {"0", "false", "no"}
+    else:
+        app.config["SESSION_COOKIE_SECURE"] = not app.config.get("TESTING", False)
 
     with app.app_context():
         init_db()
diff --git a/l4d2web/tests/test_config.py b/l4d2web/tests/test_config.py
index c58f870..a159afb 100644
--- a/l4d2web/tests/test_config.py
+++ b/l4d2web/tests/test_config.py
@@ -53,6 +53,18 @@ def test_session_cookie_secure_in_production(tmp_path, monkeypatch) -> None:
     assert app.config["SESSION_COOKIE_SECURE"] is True
 
 
+def test_session_cookie_secure_env_override(tmp_path, monkeypatch) -> None:
+    db_url = f"sqlite:///{tmp_path/'cookie-env.db'}"
+    monkeypatch.setenv("DATABASE_URL", db_url)
+    monkeypatch.setenv("SESSION_COOKIE_SECURE", "false")
+    monkeypatch.setattr("l4d2web.app.recover_stale_jobs", lambda: None)
+    monkeypatch.setattr("l4d2web.app.start_job_workers", lambda app: None)
+
+    app = create_app({"TESTING": False, "DATABASE_URL": db_url, "SECRET_KEY": "real"})
+
+    assert app.config["SESSION_COOKIE_SECURE"] is False
+
+
 def test_session_cookie_secure_disabled_in_testing(tmp_path, monkeypatch) -> None:
     db_url = f"sqlite:///{tmp_path/'cookie-test.db'}"
     monkeypatch.setenv("DATABASE_URL", db_url)