diff --git a/SAPSec.Web/Authentication/DsiAuthenticationExtensions.cs b/SAPSec.Web/Authentication/DsiAuthenticationExtensions.cs
index e9aa3938..893afea1 100644
--- a/SAPSec.Web/Authentication/DsiAuthenticationExtensions.cs
+++ b/SAPSec.Web/Authentication/DsiAuthenticationExtensions.cs
@@ -78,7 +78,7 @@ private static void ConfigureCookieOptions(CookieAuthenticationOptions options,
     {
         options.Cookie.Name = CookieSettings.Name;
         options.Cookie.HttpOnly = true;
-        options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+        options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
         options.Cookie.SameSite = SameSiteMode.Lax;
         options.ExpireTimeSpan = TimeSpan.FromMinutes(config.TokenExpiryMinutes);
         options.SlidingExpiration = true;
@@ -123,6 +123,8 @@ private static void ConfigureBasicOpenIdConnectSettings(OpenIdConnectOptions opt
         options.SignedOutCallbackPath = new PathString(config.SignedOutCallbackPath);
         options.RequireHttpsMetadata = config.RequireHttpsMetadata;
         options.MetadataAddress = config.MetadataAddress;
+        options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
+        options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
     }
 
     private static void ConfigureOpenIdConnectScopes(OpenIdConnectOptions options)
diff --git a/SAPSec.Web/Program.cs b/SAPSec.Web/Program.cs
index 33138e6b..0b3aecad 100644
--- a/SAPSec.Web/Program.cs
+++ b/SAPSec.Web/Program.cs
@@ -48,8 +48,12 @@ public static void Main(string[] args)
                 options.JsonSerializerOptions.DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull;
             });
 
-        builder.Services.AddRazorPages();
-        builder.Services.AddFeatureManagement();
+        builder.Services.AddRazorPages();
+        builder.Services.AddAntiforgery(options =>
+        {
+            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+        });
+        builder.Services.AddFeatureManagement();
         builder.Services.AddScoped<IFeatureFlagService, FeatureFlagService>();
         builder.Services.Configure<CustomEventLocations>(builder.Configuration.GetSection("CustomEventLocations"));
         builder.Services.Configure<AnalyticsSettings>(builder.Configuration.GetSection("Analytics"));
@@ -120,22 +124,21 @@ public static void Main(string[] args)
 
         builder.Services.AddDistributedMemoryCache();
 
-        builder.Services.AddSession(options =>
-        {
-            options.IdleTimeout = TimeSpan.FromHours(1);
-            options.Cookie.HttpOnly = true;
-            options.Cookie.IsEssential = true;
-            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
-            options.Cookie.SameSite = SameSiteMode.Lax;
-            options.Cookie.Name = ".SAPSec.Session";
-        });
-
-        builder.Services.Configure<CookiePolicyOptions>(options =>
-        {
-            options.CheckConsentNeeded = _ => false;
-            options.MinimumSameSitePolicy = SameSiteMode.Lax;
-            options.Secure = CookieSecurePolicy.SameAsRequest;
-        });
+        builder.Services.AddSession(options =>
+        {
+            options.IdleTimeout = TimeSpan.FromHours(1);
+            options.Cookie.HttpOnly = true;
+            options.Cookie.IsEssential = true;
+            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.Cookie.SameSite = SameSiteMode.Lax;
+            options.Cookie.Name = ".SAPSec.Session";
+        });
+
+        builder.Services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.CheckConsentNeeded = _ => false;
+            options.Secure = CookieSecurePolicy.Always;
+        });
 
         builder.Services.AddLogging(logging =>
         {
@@ -233,9 +236,10 @@ public static void Main(string[] args)
             }
         });
 
-        app.UseRouting();
-
-        app.UseSession();
+        app.UseRouting();
+        app.UseCookiePolicy();
+
+        app.UseSession();
 
         app.UseGovUkFrontend();