diff --git a/docs/security.rst b/docs/security.rst
index 46a5b22..b43789e 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -102,6 +102,9 @@ The software ("as is") uses these cookies:
 * "sessionid" (host-only, to keep the session when you have logged-in to the
   web interface)
 
+If you have set WE_HAVE_SSL to True (because you run the software on a https
+site), you should also set *_COOKIE_SECURE to True to avoid the cookies getting
+transmitted via http.
 
 Be careful with domain cookies
 ------------------------------
diff --git a/nsupdate/settings.py b/nsupdate/settings.py
index 4e86039..ab915fa 100644
--- a/nsupdate/settings.py
+++ b/nsupdate/settings.py
@@ -224,13 +224,13 @@ CSRF_FAILURE_VIEW = 'nsupdate.main.views.CsrfFailureView'
 # Settings for CSRF cookie.
 CSRF_COOKIE_NAME = 'csrftoken'
 CSRF_COOKIE_PATH = '/'
-CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = False  # use True here if you have set WE_HAVE_SSL = True
 CSRF_COOKIE_HTTPONLY = False
 
 # Settings for session cookie.
 SESSION_COOKIE_NAME = 'sessionid'
 SESSION_COOKIE_PATH = '/'
-SESSION_COOKIE_SECURE = False
+SESSION_COOKIE_SECURE = False  # use True here if you have set WE_HAVE_SSL = True
 SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_AGE = 14 * 24 * 3600  # 2 weeks, in seconds
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False