Security: Set-Cookie secure in productionMode

I’ve noticed that Vaadin automatically sets the Set-Cookie header to “secure” in productionMode, while in debugMode this is not the case. While this seems quite sensible in general, it means that you cannot debug a productionMode app locally. I need to do this sometimes to debug our containerized Vaadin apps (which are built in productionMode) or on internal CI servers, which don’t have https enabled.

While I do realise the value of having https everywhere, it is often a problem behind corporate firewalls, where your dev servers cannot reach out to letsencrypt (or rather let letsencrypt reach back in). So my question: is there any way to build a productionMode app that would run on http, even if only on localhost?