diff --git a/changelog.md b/changelog.md
index b2d36e9ac122..4e9d6809653d 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,8 @@
 # Tagup Changelog
 
+## 2023-10-17
+Added the `Secure;` flag to all `Set-Cookie` headers streamlit sends. This is to remediate possible vulnerabilities that our pentesters flagged. The `Secure;` flag makes it so the browser will only pass the set cookie over https.
+
 ## 2023-06-22
 - Removed the use of the `expressionInterpreter` when rendering Vega Lite charts. Using this renderer exposes a bug where a specified x-domain results in charts not rendering correctly. See these threads for more details: https://discuss.streamlit.io/t/time-axis-with-custom-scale/33524 https://github.com/vega/vega/issues/3632
 - Pinned `wheel` to 0.40.0 to fix a build error
diff --git a/frontend/lib/src/util/utils.ts b/frontend/lib/src/util/utils.ts
index 44cc07d7a9bf..16626851a220 100644
--- a/frontend/lib/src/util/utils.ts
+++ b/frontend/lib/src/util/utils.ts
@@ -282,7 +282,7 @@ export function setCookie(
 ): void {
   const expirationDate = value ? expiration : new Date()
   const expirationStr: string = expirationDate
-    ? `expires=${expirationDate.toUTCString()};`
+    ? `expires=${expirationDate.toUTCString()}; Secure;`
     : ""
   document.cookie = `${name}=${value};${expirationStr}path=/`
 }
diff --git a/frontend/package.json b/frontend/package.json
index 2e74f4d667fd..77894e7b1fb6 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "streamlit",
-  "version": "1.26.0.dev1",
+  "version": "1.26.0.dev2",
   "private": true,
   "workspaces": [
     "app",
diff --git a/lib/setup.py b/lib/setup.py
index 85d2a1bd0ee6..d91f183759ea 100644
--- a/lib/setup.py
+++ b/lib/setup.py
@@ -21,7 +21,7 @@
 
 THIS_DIRECTORY = Path(__file__).parent
 
-VERSION = "1.26.0.dev1"  # PEP-440
+VERSION = "1.26.0.dev2"  # PEP-440
 
 NAME = "streamlit"