diff --git a/config.sample.yaml b/config.sample.yaml
index 11e365c..8a4ee2d 100644
--- a/config.sample.yaml
+++ b/config.sample.yaml
@@ -27,6 +27,9 @@ auth:
   # this allows the JWT cookie to be served over plain HTTP only for these Host: header values
   allowInsecureFor:
     "localhost": true
+  # this instead changes the meaning of allowInsecureFor to the cookie being marked
+  # Secure, but SameSite will be set to None
+  sameSiteNoneForInsecure: false
 listen: ':3050'
 public: true
 log:
diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go
index 6cb64f3..b2eed4c 100644
--- a/pkg/auth/jwt.go
+++ b/pkg/auth/jwt.go
@@ -145,6 +145,16 @@ func (a *Auth) allowInsecureCookie(r *http.Request) bool {
 	return has && v
 }
 
+func (a *Auth) setInsecureCookie(cookie *http.Cookie) {
+	if a.cfg.SameSiteNoneWhenInsecure {
+		cookie.Secure = true
+		cookie.SameSite = http.SameSiteNoneMode
+	} else {
+		cookie.Secure = false
+		cookie.SameSite = http.SameSiteLaxMode
+	}
+}
+
 func (a *Auth) routeRefresh(w http.ResponseWriter, r *http.Request) {
 	jwToken, _, err := jwtauth.FromContext(r.Context())
 	if err != nil {
@@ -174,8 +184,7 @@ func (a *Auth) routeRefresh(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if a.allowInsecureCookie(r) {
-		cookie.Secure = false
-		cookie.SameSite = http.SameSiteLaxMode
+		a.setInsecureCookie(cookie)
 	}
 
 	if cookie.Secure {
@@ -236,8 +245,7 @@ func (a *Auth) routeAuth(w http.ResponseWriter, r *http.Request) {
 
 	cookie.Domain = r.Host
 	if a.allowInsecureCookie(r) {
-		cookie.Secure = false
-		cookie.SameSite = http.SameSiteLaxMode
+		a.setInsecureCookie(cookie)
 	}
 
 	http.SetCookie(w, cookie)
@@ -263,8 +271,8 @@ func (a *Auth) routeLogout(w http.ResponseWriter, r *http.Request) {
 
 	cookie.Domain = r.Host
 	if a.allowInsecureCookie(r) {
-		cookie.Secure = false
-		cookie.SameSite = http.SameSiteLaxMode
+		cookie.Secure = true
+		cookie.SameSite = http.SameSiteNoneMode
 	}
 
 	http.SetCookie(w, cookie)
diff --git a/pkg/config/config.go b/pkg/config/config.go
index bbea959..61dc344 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -30,8 +30,9 @@ type Config struct {
 }
 
 type Auth struct {
-	JWTSecret     string          `yaml:"jwtsecret"`
-	AllowInsecure map[string]bool `yaml:"allowInsecureFor"`
+	JWTSecret                string          `yaml:"jwtsecret"`
+	AllowInsecure            map[string]bool `yaml:"allowInsecureFor"`
+	SameSiteNoneWhenInsecure bool            `yaml:"sameSiteNoneForInsecure"`
 }
 
 type CORS struct {