diff --git a/packages/xo-server/sample.config.toml b/packages/xo-server/sample.config.toml
index 290343fd5..9e588814d 100644
--- a/packages/xo-server/sample.config.toml
+++ b/packages/xo-server/sample.config.toml
@@ -50,6 +50,13 @@
 # configuration.
 # redirectToHttps = true
 
+# Settings applied to cookies created by xo-server's embedded HTTP server.
+#
+# See https://www.npmjs.com/package/cookie#options-1
+[http.cookies]
+#sameSite = true
+#secure = true
+
 # Basic HTTP.
 [[http.listen]]
 # Address on which the server is listening on.
diff --git a/packages/xo-server/src/index.js b/packages/xo-server/src/index.js
index bfb626fa9..994b9fc01 100644
--- a/packages/xo-server/src/index.js
+++ b/packages/xo-server/src/index.js
@@ -79,14 +79,14 @@ async function loadConfiguration() {
 
 // ===================================================================
 
-function createExpressApp() {
+function createExpressApp(config) {
   const app = createExpress()
 
   app.use(helmet())
 
   // Registers the cookie-parser and express-session middlewares,
   // necessary for connect-flash.
-  app.use(cookieParser())
+  app.use(cookieParser(null, config.http.cookies))
   app.use(
     expressSession({
       resave: false,
@@ -601,7 +601,7 @@ export default async function main(args) {
   await xo.clean()
 
   // Express is used to manage non WebSocket connections.
-  const express = createExpressApp()
+  const express = createExpressApp(config)
 
   if (config.http.redirectToHttps) {
     let port