diff --git a/docs/security/authentication.md b/docs/security/authentication.md
index 745e7b84..bc49092e 100644
--- a/docs/security/authentication.md
+++ b/docs/security/authentication.md
@@ -748,6 +748,9 @@ These middlewares do the following:
 * the sessions middleware takes the session cookie provided in the request and converts it into a session
 * the session authenticator takes the session and see if there is an authenticated user for that session. If so, the middleware authenticates the request. In the response, the session authenticator sees if the request has an authenticated user and saves them in the session so they're authenticated in the next request.
 
+!!! note
+    The session cookie is not set to `secure` and `httpOnly` by default. Check Vapor's [Session API](../advanced/sessions.md#configuration) for more information on how to configure cookies.
+
 ### Protecting Routes
 
 When protecting routes for an API, you traditionally return an HTTP response with a status code such as **401 Unauthorized** if the request is not authenticated. However, this isn't a very good user experience for someone using a browser. Vapor provides a `RedirectMiddleware` for any `Authenticatable` type to use in this scenario: