diff --git a/src/main/java/net/dancier/dancer/authentication/service/AuthenticationService.java b/src/main/java/net/dancier/dancer/authentication/service/AuthenticationService.java
index 482186f..1dd289f 100644
--- a/src/main/java/net/dancier/dancer/authentication/service/AuthenticationService.java
+++ b/src/main/java/net/dancier/dancer/authentication/service/AuthenticationService.java
@@ -5,6 +5,7 @@
 import net.dancier.dancer.authentication.event.NewUserCreatedEvent;
 import net.dancier.dancer.authentication.model.*;
 import net.dancier.dancer.authentication.repository.*;
+import net.dancier.dancer.core.config.CookieConfiguration;
 import net.dancier.dancer.core.exception.ApplicationException;
 import net.dancier.dancer.core.exception.BusinessException;
 import net.dancier.dancer.core.exception.NotFoundException;
@@ -55,6 +56,7 @@ public class AuthenticationService {
     private final VerifiedActionCodeRepository verifiedActionCodeRepository;
     private final String frontendBaseName;
     private final ApplicationEventPublisher applicationEventPublisher;
+    private final CookieConfiguration cookieConfiguration;
 
     public Authentication authenticate(Authentication authentication) {
         return this.authenticationManager.authenticate(authentication);
@@ -70,10 +72,10 @@ public String generateJwtToken(String subject) {
     public ResponseCookie generateCookie(String token) {
         return ResponseCookie.from("jwt-token", token)
                 .maxAge(Duration.ofDays(30))
-                .secure(true)
+                .secure(cookieConfiguration.getSecure())
                 .httpOnly(true)
                 .path("/")
-                .sameSite("None")
+                .sameSite(cookieConfiguration.getSameSite())
                 .build();
     }
 
@@ -83,12 +85,7 @@ public ResponseCookie generateCookie(String token) {
      */
     public ResponseCookie generateClearingCookie() {
         return ResponseCookie.from("jwt-token", "")
-                .maxAge(Duration.ofDays(0))
-                .secure(true)
-                .httpOnly(true)
-                .path("/")
-                .sameSite("None")
-                .build();
+                              .build();
     }
 
     public User getUser(UUID userId) {
diff --git a/src/main/java/net/dancier/dancer/core/config/CookieConfiguration.java b/src/main/java/net/dancier/dancer/core/config/CookieConfiguration.java
new file mode 100644
index 0000000..90db8af
--- /dev/null
+++ b/src/main/java/net/dancier/dancer/core/config/CookieConfiguration.java
@@ -0,0 +1,14 @@
+package net.dancier.dancer.core.config;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+
+@Data
+@Component
+@ConfigurationProperties(prefix = "app.cookie")
+public class CookieConfiguration {
+    private Boolean secure;
+    private String sameSite;
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index e62b838..8ddf734 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -29,6 +29,9 @@ app:
   auth:
     tokenSecret: 04ca023b39512e46d0c2cf4b48d5aac61d34302994c87ed4eff225dcf3b0a218739f3897051a057f9b846a69ea2927a587044164b7bae5e1306219d50b588cb1
     tokenExpirationMsec: 864000000
+  cookie:
+    secure: true # otherwise overwrite it via env-var (APP_COOKIE_SECURE)
+    sameSite: Strict # other values needs to be overwritten by env vars could be: [Strict|Lax|None]
   cors:
     allowedOrigins: http://localhost:4200,http://localho.st:4200 # Comma separated list of allowed origins
   # differentiate between success and failure