diff --git a/pkg/schemaserver/server/validate.go b/pkg/schemaserver/server/validate.go
index 2063c80..13d4705 100644
--- a/pkg/schemaserver/server/validate.go
+++ b/pkg/schemaserver/server/validate.go
@@ -54,9 +54,13 @@ func CheckCSRF(apiOp *types.APIRequest) error {
 		}
 
 		cookie = &http.Cookie{
-			Name:  csrfCookie,
-			Value: hex.EncodeToString(bytes),
+			Name:   csrfCookie,
+			Value:  hex.EncodeToString(bytes),
+			Path:   "/",
+			Secure: true,
 		}
+
+		http.SetCookie(apiContext.Response, cookie)
 	} else if err != nil {
 		return httperror.NewAPIError(validation.InvalidCSRFToken, "Failed to parse cookies")
 	} else if apiOp.Method != http.MethodGet {
@@ -72,7 +76,5 @@ func CheckCSRF(apiOp *types.APIRequest) error {
 		}
 	}
 
-	cookie.Path = "/"
-	http.SetCookie(apiOp.Response, cookie)
 	return nil
 }
diff --git a/pkg/schemaserver/subscribe/handler.go b/pkg/schemaserver/subscribe/handler.go
index 728ea9a..29398a5 100644
--- a/pkg/schemaserver/subscribe/handler.go
+++ b/pkg/schemaserver/subscribe/handler.go
@@ -4,10 +4,9 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/rancher/wrangler/pkg/schemas/validation"
-
 	"github.com/gorilla/websocket"
 	"github.com/rancher/steve/pkg/schemaserver/types"
+	"github.com/rancher/wrangler/pkg/schemas/validation"
 	"github.com/sirupsen/logrus"
 )