diff --git a/scripts/federation.sh b/scripts/federation.sh
index 335ebc6..ae6cc39 100755
--- a/scripts/federation.sh
+++ b/scripts/federation.sh
@@ -24,12 +24,11 @@ echo $ALPHA_DB_URL
 # get rid of processes leftover from previous runs
 killall ibis || true
 
+CARGO_TARGET_DIR=target/frontend trunk build
+
 # launch a couple of local instances to test federation
 # sometimes ctrl+c doesnt work properly, so you have to kill trunk, cargo-watch and ibis manually
-# TODO: somehow instances use wrong port resulting in cors errors
 (trap 'kill 0' SIGINT;
-  sh -c "CARGO_TARGET_DIR=target/frontend trunk serve -w src/frontend/ --proxy-backend http://127.0.0.1:8071 --port 8070" &
-  sh -c "IBIS__BIND=127.0.0.1:8071 IBIS__FEDERATION__DOMAIN=ibis-alpha:8070 IBIS__DATABASE_URL=$ALPHA_DB_URL cargo run" &
-  sh -c "CARGO_TARGET_DIR=target/frontend trunk serve -w src/frontend/ --proxy-backend http://127.0.0.1:8081 --port 8080" &
-  sh -c "IBIS__BIND=127.0.0.1:8081 IBIS__FEDERATION__DOMAIN=ibis-beta:8080 IBIS__DATABASE_URL=$BETA_DB_URL cargo run" &
+  sh -c "IBIS__BIND=127.0.0.1:8070 IBIS__FEDERATION__DOMAIN=ibis-alpha:8070 IBIS__DATABASE_URL=$ALPHA_DB_URL cargo run" &
+  sh -c "IBIS__BIND=127.0.0.1:8080 IBIS__FEDERATION__DOMAIN=ibis-beta:8080 IBIS__DATABASE_URL=$BETA_DB_URL cargo run" &
 )
\ No newline at end of file
diff --git a/src/backend/api/mod.rs b/src/backend/api/mod.rs
index dbbe629..2b1197a 100644
--- a/src/backend/api/mod.rs
+++ b/src/backend/api/mod.rs
@@ -26,7 +26,6 @@ use axum::{Json, Router};
 use axum_extra::extract::CookieJar;
 use axum_macros::debug_handler;
 use futures::future::try_join_all;
-use log::warn;
 
 pub mod article;
 pub mod instance;
@@ -60,11 +59,9 @@ async fn auth<B>(
     next: Next<B>,
 ) -> Result<Response, StatusCode> {
     if let Some(auth) = jar.get(AUTH_COOKIE) {
-        let user = validate(auth.value(), &data).await.map_err(|e| {
-            warn!("Failed to validate auth token: {e}");
-            StatusCode::UNAUTHORIZED
-        })?;
-        request.extensions_mut().insert(user);
+        if let Ok(user) = validate(auth.value(), &data).await {
+            request.extensions_mut().insert(user);
+        }
     }
     let response = next.run(request).await;
     Ok(response)
diff --git a/src/backend/api/user.rs b/src/backend/api/user.rs
index 3052bb3..8eabe78 100644
--- a/src/backend/api/user.rs
+++ b/src/backend/api/user.rs
@@ -94,8 +94,7 @@ fn create_cookie(jwt: String, data: &Data<IbisData>) -> Cookie<'static> {
         .same_site(SameSite::Strict)
         .path("/")
         .http_only(true)
-        // TODO: not in debug mode
-        //.secure(true)
+        .secure(!cfg!(debug_assertions))
         .expires(Expiration::DateTime(
             OffsetDateTime::now_utc() + Duration::weeks(52),
         ))