diff --git a/src/lib/session-cookie.ts b/src/lib/session-cookie.ts
index a5d9065a..8a7fb780 100644
--- a/src/lib/session-cookie.ts
+++ b/src/lib/session-cookie.ts
@@ -35,6 +35,9 @@ function envFlag(name: string): boolean | undefined {
 
 export function getMcSessionCookieOptions(input: { maxAgeSeconds: number; isSecureRequest?: boolean }): Partial<ResponseCookie> {
   const secureEnv = envFlag('MC_COOKIE_SECURE')
+  // Prefer explicit env override, then actual request security.
+  // Do NOT fall back to NODE_ENV, because that breaks HTTP-only local
+  // deployments where browsers will drop `Secure` cookies.
   const secure = secureEnv ?? input.isSecureRequest ?? false
 
   return {