diff --git a/environments/ssl/enable-tls.yaml b/environments/ssl/enable-tls.yaml
index df1294cc49..7b8535e244 100644
--- a/environments/ssl/enable-tls.yaml
+++ b/environments/ssl/enable-tls.yaml
@@ -10,6 +10,10 @@
 #   For these values to take effect, one of the tls-endpoints-*.yaml
 #   environments must also be used.
 parameter_defaults:
+  # Set CSRF_COOKIE_SECURE / SESSION_COOKIE_SECURE in Horizon
+  # Type: boolean
+  HorizonSecureCookies: True
+
   # The content of the SSL certificate (without Key) in PEM format.
   # Type: string
   SSLCertificate: |
diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml
index 35d923d9db..1adb50b723 100644
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@@ -9,6 +9,9 @@ environments:
     files:
       puppet/services/haproxy-public-tls-inject.yaml:
         parameters: all
+      puppet/services/horizon.yaml:
+        parameters:
+          - HorizonSecureCookies
     static:
       # This should probably be private, but for testing static params I'm
       # setting it as such for now.
@@ -20,6 +23,7 @@ environments:
       SSLKey: |-
         |
             The contents of the private key go here
+      HorizonSecureCookies: True
   -
     name: ssl/enable-internal-tls
     title: Enable SSL on OpenStack Internal Endpoints