diff --git a/devbin/dev_proxy.py b/devbin/dev_proxy.py
index a277f7f4d34..268a2d33afb 100644
--- a/devbin/dev_proxy.py
+++ b/devbin/dev_proxy.py
@@ -48,7 +48,7 @@ async def render_html(request: web.Request, context: dict):
     # Make links point back to the local dev server and not use
     # the dev namespace path rewrite shenanigans.
     context['page_context']['base_path'] = ''
-    return await render_template(SERVICE, request, **context, cookie_domain='localhost:8000')
+    return await render_template(SERVICE, request, **context)
 
 
 async def on_startup(app: web.Application):
diff --git a/web_common/web_common/web_common.py b/web_common/web_common/web_common.py
index 511f1eb984f..3aca0472740 100644
--- a/web_common/web_common/web_common.py
+++ b/web_common/web_common/web_common.py
@@ -79,8 +79,6 @@ async def render_template(
     userdata: Optional[UserData],
     file: str,
     page_context: Dict[str, Any],
-    *,
-    cookie_domain: Optional[str] = None,
 ) -> web.Response:
     if request.headers.get('x-hail-return-jinja-context'):
         if userdata and userdata['is_developer']:
@@ -98,6 +96,5 @@ async def render_template(
     context['csrf_token'] = csrf_token
 
     response = aiohttp_jinja2.render_template(file, request, context)
-    domain = cookie_domain or deploy_config._domain
-    response.set_cookie('_csrf', csrf_token, domain=domain, secure=True, httponly=True)
+    response.set_cookie('_csrf', csrf_token, secure=True, httponly=True, samesite='strict')
     return response