diff --git a/src/lib/__tests__/session-cookie.test.ts b/src/lib/__tests__/session-cookie.test.ts
new file mode 100644
index 0000000..7fb1e88
--- /dev/null
+++ b/src/lib/__tests__/session-cookie.test.ts
@@ -0,0 +1,40 @@
+import { afterEach, describe, expect, it } from 'vitest'
+import { getMcSessionCookieOptions } from '../session-cookie'
+
+describe('getMcSessionCookieOptions', () => {
+  const env = process.env as Record<string, string | undefined>
+  const originalNodeEnv = env.NODE_ENV
+  const originalCookieSecure = env.MC_COOKIE_SECURE
+
+  afterEach(() => {
+    if (originalNodeEnv === undefined) delete env.NODE_ENV
+    else env.NODE_ENV = originalNodeEnv
+
+    if (originalCookieSecure === undefined) delete env.MC_COOKIE_SECURE
+    else env.MC_COOKIE_SECURE = originalCookieSecure
+  })
+
+  it('does not force secure cookies on plain HTTP in production when MC_COOKIE_SECURE is unset', () => {
+    env.NODE_ENV = 'production'
+    delete env.MC_COOKIE_SECURE
+
+    const options = getMcSessionCookieOptions({ maxAgeSeconds: 60, isSecureRequest: false })
+    expect(options.secure).toBe(false)
+  })
+
+  it('sets secure cookies for HTTPS requests when MC_COOKIE_SECURE is unset', () => {
+    env.NODE_ENV = 'production'
+    delete env.MC_COOKIE_SECURE
+
+    const options = getMcSessionCookieOptions({ maxAgeSeconds: 60, isSecureRequest: true })
+    expect(options.secure).toBe(true)
+  })
+
+  it('respects MC_COOKIE_SECURE override', () => {
+    env.NODE_ENV = 'production'
+    env.MC_COOKIE_SECURE = '1'
+
+    const options = getMcSessionCookieOptions({ maxAgeSeconds: 60, isSecureRequest: false })
+    expect(options.secure).toBe(true)
+  })
+})
diff --git a/src/lib/session-cookie.ts b/src/lib/session-cookie.ts
index d3ffc4b..a5d9065 100644
--- a/src/lib/session-cookie.ts
+++ b/src/lib/session-cookie.ts
@@ -35,7 +35,7 @@ function envFlag(name: string): boolean | undefined {
 
 export function getMcSessionCookieOptions(input: { maxAgeSeconds: number; isSecureRequest?: boolean }): Partial<ResponseCookie> {
   const secureEnv = envFlag('MC_COOKIE_SECURE')
-  const secure = secureEnv ?? input.isSecureRequest ?? process.env.NODE_ENV === 'production'
+  const secure = secureEnv ?? input.isSecureRequest ?? false
 
   return {
     httpOnly: true,