diff --git a/.env.example b/.env.example
index 8317dce..3953df0 100644
--- a/.env.example
+++ b/.env.example
@@ -7,6 +7,7 @@ NODE_ENV=production
 
 # Session
 SESSION_SECRET=HIER_EINEN_LANGEN_ZUFAELLIGEN_STRING_EINTRAGEN
+# SESSION_SECURE=false   # Nur setzen wenn kein HTTPS/Reverse Proxy (z.B. direktes localhost)
 
 # Datenbank (SQLite/SQLCipher)
 DB_PATH=/data/oikos.db
diff --git a/server/auth.js b/server/auth.js
index 12ff479..4f114f5 100644
--- a/server/auth.js
+++ b/server/auth.js
@@ -43,7 +43,10 @@ const sessionMiddleware = session({
   name: 'oikos.sid',
   cookie: {
     httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
+    // SESSION_SECURE=false in .env erlaubt HTTP-Zugriff (z.B. direktes localhost ohne Reverse Proxy)
+    // Ohne diese Variable: secure=true wenn NODE_ENV=production
+    secure: process.env.SESSION_SECURE === 'false' ? false
+          : process.env.NODE_ENV === 'production',
     sameSite: 'strict',
     maxAge: 1000 * 60 * 60 * 24 * 7, // 7 Tage in ms
   },
@@ -130,7 +133,8 @@ router.post('/login', loginLimiter, async (req, res) => {
       res.cookie('csrf-token', req.session.csrfToken, {
         httpOnly: false,
         sameSite: 'strict',
-        secure: process.env.NODE_ENV === 'production',
+        secure: process.env.SESSION_SECURE === 'false' ? false
+              : process.env.NODE_ENV === 'production',
         maxAge: 1000 * 60 * 60 * 24 * 7,
       });