diff --git a/src/aphront/AphrontRequest.php b/src/aphront/AphrontRequest.php
index 050c71f1d7..99e051a1ec 100644
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@@ -305,6 +305,11 @@ final class AphrontRequest {
    * @task cookie
    */
   private function getCookieDomainURI() {
+    if (PhabricatorEnv::getEnvConfig('security.require-https') &&
+        !$this->isHTTPS()) {
+      return null;
+    }
+
     $host = $this->getHost();
 
     // If there's no base domain configured, just use whatever the request