set *_COOKIE_SECURE by default
In !1676 (merged) I changed the default settings for cookies to be more secure. Back then I skipped *_COOKIE_SECURE
because TLS is not available in development.
In the spirit of "security by default" I would like to set those by default and "unset" them for development.