diff --git a/src/helper/storage/cookie.js b/src/helper/storage/cookie.js
index d919f68a..5a7e7110 100644
--- a/src/helper/storage/cookie.js
+++ b/src/helper/storage/cookie.js
@@ -1,5 +1,6 @@
 import Cookie from 'js-cookie';
 import objectHelper from '../object';
+import windowHandler from '../window';
 function CookieStorage() {}
 
 CookieStorage.prototype.getItem = function(key) {
@@ -17,6 +18,11 @@ CookieStorage.prototype.setItem = function(key, value, options) {
     },
     options
   );
+
+  if (windowHandler.getWindow().location.protocol === 'https:') {
+    params.secure = true;
+  }
+
   Cookie.set(key, value, params);
 };
 
diff --git a/test/helper/storage-handler.test.js b/test/helper/storage-handler.test.js
index 92ace787..d41fa77b 100644
--- a/test/helper/storage-handler.test.js
+++ b/test/helper/storage-handler.test.js
@@ -21,7 +21,10 @@ describe('helpers storage handler', function() {
   beforeEach(function() {
     sinon.stub(windowHandler, 'getWindow').callsFake(function(message) {
       return {
-        localStorage: new MockLocalStorage()
+        localStorage: new MockLocalStorage(),
+        location: {
+          protocol: 'http:'
+        }
       };
     });
   });
@@ -40,6 +43,7 @@ describe('helpers storage handler', function() {
     let setItemSpy;
     let getItemStub;
     let removeItemSpy;
+
     beforeEach(function() {
       windowHandler.getWindow.restore();
 
@@ -119,6 +123,7 @@ describe('helpers storage handler', function() {
       var handler = new StorageHandler({ __tryLocalStorageFirst: true });
 
       expect(handler.storage).to.be.a(MockLocalStorage);
+
       handler.setItem('some', 'value', { options: true });
 
       expect(handler.storage).to.be.a(CookieStorage);
diff --git a/test/helper/storage.cookie.test.js b/test/helper/storage.cookie.test.js
index dcfa91d5..609bed88 100644
--- a/test/helper/storage.cookie.test.js
+++ b/test/helper/storage.cookie.test.js
@@ -3,6 +3,8 @@ import expect from 'expect.js';
 import sinon from 'sinon';
 
 import CookieStorage from '../../src/helper/storage/cookie';
+import windowHandler from '../../src/helper/window';
+
 var cookieStorage = new CookieStorage();
 const KEY = 'foo';
 const VALUE = 'bar';
@@ -39,21 +41,57 @@ describe('storage.cookies', function() {
     });
   });
   describe('setItem', function() {
+    beforeEach(function() {
+      sinon.stub(windowHandler, 'getWindow').callsFake(function() {
+        return {
+          location: {
+            protocol: 'http:'
+          }
+        };
+      });
+    });
+
+    afterEach(function() {
+      windowHandler.getWindow.restore();
+    });
+
     it('calls Cookie.set with default values', function() {
       cookieStorage.setItem(KEY, VALUE);
+
       expect(CookieLibrary.set.firstCall.args).to.be.eql([
         'foo',
         'bar',
         { expires: 1 }
       ]);
     });
+
     it('calls Cookie.set with custom values', function() {
       cookieStorage.setItem(KEY, VALUE, { expires: 2, test: true });
+
       expect(CookieLibrary.set.firstCall.args).to.be.eql([
         'foo',
         'bar',
         { expires: 2, test: true }
       ]);
     });
+
+    it('sets the secure flag on cookies when using the https protocol', function() {
+      windowHandler.getWindow.restore();
+      sinon.stub(windowHandler, 'getWindow').callsFake(function() {
+        return {
+          location: {
+            protocol: 'https:'
+          }
+        };
+      });
+
+      cookieStorage.setItem(KEY, VALUE, { expires: 2, test: true });
+
+      expect(CookieLibrary.set.firstCall.args).to.be.eql([
+        'foo',
+        'bar',
+        { expires: 2, test: true, secure: true }
+      ]);
+    });
   });
 });
diff --git a/test/web-auth/cross-origin-authentication.test.js b/test/web-auth/cross-origin-authentication.test.js
index 5d8dc1bf..fb5724ca 100644
--- a/test/web-auth/cross-origin-authentication.test.js
+++ b/test/web-auth/cross-origin-authentication.test.js
@@ -25,9 +25,19 @@ describe('auth0.WebAuth.crossOriginAuthentication', function() {
       });
       global.window = {};
     });
+
     beforeEach(function() {
       sinon.spy(Storage.prototype, 'setItem');
+
+      sinon.stub(windowHelper, 'getWindow').callsFake(function() {
+        return {
+          location: {
+            protocol: 'http:'
+          }
+        };
+      });
     });
+
     afterEach(function() {
       request.post.restore();
       Storage.prototype.setItem.restore();
@@ -38,6 +48,10 @@ describe('auth0.WebAuth.crossOriginAuthentication', function() {
       if (WebMessageHandler.prototype.run.restore) {
         WebMessageHandler.prototype.run.restore();
       }
+
+      if (windowHelper.getWindow.restore) {
+        windowHelper.getWindow.restore();
+      }
     });
     it('should call /co/authenticate and redirect to /authorize with login_ticket using `username`', function() {
       sinon.stub(request, 'post').callsFake(function(url) {
@@ -63,16 +77,20 @@ describe('auth0.WebAuth.crossOriginAuthentication', function() {
           }
         });
       });
+
       this.co.login({
         username: 'me@example.com',
         password: '123456',
         anotherOption: 'foobar'
       });
+
       expect(this.webAuthSpy.authorize.getCall(0).args[0]).to.be.eql({
         username: 'me@example.com',
         loginTicket: 'a_login_ticket',
         anotherOption: 'foobar'
       });
+
+      windowHelper.getWindow.restore();
     });
     it('should call /co/authenticate and redirect to /authorize with login_ticket using `email`', function() {
       sinon.stub(request, 'post').callsFake(function(url) {