On the Mendix Cloud, this will be enabled by default. Elsewhere, you need to pass a header in proxied requests from the SSL/TLS termination point to your Mendix runtime, in order to tell the runtime that it’s running behind an HTTPS endpoint. Adding this header will cause the runtime to return Secure and HttpOnly session cookies.

See here for details: https://docs.mendix.com/developerportal/deploy/security-checklist-for-your-on-premises-installation#5-using-a-http-reverse-proxy-with-ssl-support