diff --git a/backend/internal/api/handlers/auth_handler.go b/backend/internal/api/handlers/auth_handler.go
index ef1b42f1..ce4c5572 100644
--- a/backend/internal/api/handlers/auth_handler.go
+++ b/backend/internal/api/handlers/auth_handler.go
@@ -128,7 +128,8 @@ func isLocalRequest(c *gin.Context) bool {
 // setSecureCookie sets an auth cookie with security best practices
 // - HttpOnly: prevents JavaScript access (XSS protection)
 // - Secure: true for HTTPS; false for local/private network HTTP requests
-// - SameSite: Strict for HTTPS, Lax for HTTP/IP to allow forward-auth redirects
+// - SameSite: Lax for any local/private-network request (regardless of scheme),
+//   Strict otherwise (public HTTPS only)
 func setSecureCookie(c *gin.Context, name, value string, maxAge int) {
 	scheme := requestScheme(c)
 	secure := true