diff --git a/settings.py b/settings.py
index 20a0d63..80fb84b 100644
--- a/settings.py
+++ b/settings.py
@@ -109,8 +109,8 @@ SECRET_KEY = "not-the-real-secret-key-a#vaeozn0---^fj!355qki*vj2"
 LOGIN_REDIRECT_URL = '/'
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_BROWSER_XSS_FILTER = True
-#SESSION_COOKIE_SECURE = True # if enabled, cannot login to Django control panel, bug elsewhere?
-CSRF_COOKIE_SECURE = True
+# SESSION_COOKIE_SECURE = True # if enabled, cannot login to Django control panel, bug elsewhere?
+# CSRF_COOKIE_SECURE = True # if enabled only sends cookies over SSL
 X_FRAME_OPTIONS = 'SAMEORIGIN'  # change to "DENY" after we eliminate all the iframes e.g. /xmlvalid.html
 
 INSTALLED_APPS = (