diff --git a/.env.example b/.env.example
index 904d8e6..aecddb1 100644
--- a/.env.example
+++ b/.env.example
@@ -34,7 +34,8 @@ DB_PASSWORD_EINUNDZANZIG=secret
 
 SESSION_DRIVER=database
 SESSION_LIFETIME=120
-SESSION_ENCRYPT=false
+SESSION_ENCRYPT=true
+SESSION_SECURE_COOKIE=true
 SESSION_PATH=/
 SESSION_DOMAIN=null
 
diff --git a/config/session.php b/config/session.php
index f0b6541..608b6d6 100644
--- a/config/session.php
+++ b/config/session.php
@@ -47,7 +47,7 @@ return [
     |
     */
 
-    'encrypt' => env('SESSION_ENCRYPT', false),
+    'encrypt' => env('SESSION_ENCRYPT', true),
 
     /*
     |--------------------------------------------------------------------------
@@ -169,7 +169,7 @@ return [
     |
     */
 
-    'secure' => env('SESSION_SECURE_COOKIE'),
+    'secure' => env('SESSION_SECURE_COOKIE', true),
 
     /*
     |--------------------------------------------------------------------------
diff --git a/tests/Feature/SessionSecurityTest.php b/tests/Feature/SessionSecurityTest.php
new file mode 100644
index 0000000..1d70146
--- /dev/null
+++ b/tests/Feature/SessionSecurityTest.php
@@ -0,0 +1,39 @@
+<?php
+
+it('has secure defaults in session config file', function () {
+    $config = require base_path('config/session.php');
+
+    // When no env vars are set, these should default to secure values
+    expect($config['http_only'])->toBeTrue('http_only should default to true');
+    expect($config['same_site'])->toBe('lax', 'same_site should default to lax');
+});
+
+it('defaults session encryption to true in config', function () {
+    $configContent = file_get_contents(base_path('config/session.php'));
+
+    expect($configContent)->toContain("env('SESSION_ENCRYPT', true)");
+});
+
+it('defaults secure cookie to true in config', function () {
+    $configContent = file_get_contents(base_path('config/session.php'));
+
+    expect($configContent)->toContain("env('SESSION_SECURE_COOKIE', true)");
+});
+
+it('has secure session defaults in env example', function () {
+    $envExample = file_get_contents(base_path('.env.example'));
+
+    expect($envExample)->toContain('SESSION_ENCRYPT=true');
+    expect($envExample)->toContain('SESSION_SECURE_COOKIE=true');
+});
+
+it('sets httponly and samesite flags on session cookie', function () {
+    $response = $this->get('/');
+
+    $sessionCookie = collect($response->headers->getCookies())
+        ->first(fn ($cookie) => $cookie->getName() === config('session.cookie'));
+
+    expect($sessionCookie)->not->toBeNull();
+    expect($sessionCookie->isHttpOnly())->toBeTrue('Session cookie should be HttpOnly');
+    expect($sessionCookie->getSameSite())->toBe('lax', 'Session cookie should have SameSite=lax');
+});