diff --git a/session/http_server.go b/session/http_server.go
index f0e80da0a2e..b78d5fea8f7 100644
--- a/session/http_server.go
+++ b/session/http_server.go
@@ -208,7 +208,7 @@ func encodeCookieSession(w http.ResponseWriter, s *influxdb.Session, tlsEnabled
 		Path:     "/api/", // since UI doesn't need it, limit cookie usage to API requests
 		Expires:  s.ExpiresAt,
 		SameSite: http.SameSiteStrictMode,
-		HttpOnly: tlsEnabled,
+		HttpOnly: true,
 		Secure:   tlsEnabled,
 	}