diff --git a/cmd/server/main.go b/cmd/server/main.go
index 90ab19e..f9316b9 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -235,6 +235,18 @@ func main() {
 		})),
 	)
 
+	// gorilla/csrf v1.7.x defaults the assumed request scheme to "https" for
+	// Origin/Referer checks. On plaintext HTTP the browser-sent Origin
+	// (e.g. http://localhost:8082) won't match, so flag requests as plaintext.
+	if !cfg.SecureCookies {
+		inner := csrfMiddleware
+		csrfMiddleware = func(next http.Handler) http.Handler {
+			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				inner(next).ServeHTTP(w, csrf.PlaintextHTTPRequest(r))
+			})
+		}
+	}
+
 	// Admin routes (under /cm)
 	admin := r.PathPrefix("/cm").Subrouter()
 	admin.Use(csrfMiddleware)