diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index e50eaa7..b5daf90 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -86,6 +86,14 @@ services:
       # (no credentials); explicit allowlist also covers the
       # /auth/sign-event credentialed flow when bucket-B PRs land.
       LNBITS_CORS_ALLOWED_ORIGINS: '["http://localhost:5173","http://192.168.0.32:5173","http://127.0.0.1:5173","http://localhost:5180","http://192.168.0.32:5180","http://127.0.0.1:5180","http://localhost:5181","http://192.168.0.32:5181","http://127.0.0.1:5181","http://localhost:5182","http://192.168.0.32:5182","http://127.0.0.1:5182","http://localhost:5183","http://192.168.0.32:5183","http://127.0.0.1:5183","http://localhost:5184","http://192.168.0.32:5184","http://127.0.0.1:5184","http://localhost:5185","http://192.168.0.32:5185","http://127.0.0.1:5185","http://localhost:5186","http://192.168.0.32:5186","http://127.0.0.1:5186","http://localhost:5187","http://192.168.0.32:5187","http://127.0.0.1:5187"]'
+      # Drop the `Secure` flag on auth + CSRF cookies so the regtest
+      # stack works over plain HTTP from a LAN IP (e.g. testing the
+      # webapp at http://192.168.0.32:5181 against this lnbits at
+      # http://192.168.0.32:5001). Browsers silently discard `Secure`
+      # cookies served over `http://` from non-loopback origins, which
+      # breaks the /auth/sign-event double-submit CSRF flow. Production
+      # leaves this unset (default `true`) — see aiolabs/lnbits#52.
+      LNBITS_AUTH_HTTPS_ONLY: "false"
       # Lowered from the 40_000 default just to make sharding easy to
       # exercise in local tests without seeding hundreds of payments.
       # Production runs should leave this unset (defaults to 40_000).