diff --git a/backend/src/app/api/admin/login/route.ts b/backend/src/app/api/admin/login/route.ts
index 1ed9c91..3d74acf 100644
--- a/backend/src/app/api/admin/login/route.ts
+++ b/backend/src/app/api/admin/login/route.ts
@@ -3,12 +3,17 @@ import { NextRequest, NextResponse } from 'next/server';
 export async function POST(request: NextRequest) {
   const { password } = await request.json();
   const ADMIN_PASSWORD = process.env.ADMIN_PASSWORD || 'admin';
+  console.log('[AdminLogin] attempt', { providedLength: password?.length, expectedLength: ADMIN_PASSWORD.length, match: password === ADMIN_PASSWORD });
   if (password !== ADMIN_PASSWORD) {
+    console.log('[AdminLogin] failed: password mismatch');
     return NextResponse.json({ success: false, error: 'Invalid password' }, { status: 401 });
   }
+  const secure = request.nextUrl.protocol === 'https:' || request.headers.get('x-forwarded-proto') === 'https';
+  console.log('[AdminLogin] success, setting cookie', { secure, protocol: request.nextUrl.protocol, forwardedProto: request.headers.get('x-forwarded-proto') });
   const response = NextResponse.json({ success: true });
   response.cookies.set('admin_session', 'authenticated', {
-    httpOnly: true, secure: true, sameSite: 'lax', path: '/admin', maxAge: 86400,
+    httpOnly: true, secure, sameSite: 'lax', path: '/admin', maxAge: 86400,
   });
+  console.log('[AdminLogin] response cookie header:', response.headers.get('set-cookie'));
   return response;
 }