diff --git a/lib/config.js b/lib/config.js
index d9b2fab..99cfacb 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -48,6 +48,7 @@ class Config {
 
 function applyDefaults(cfg = {}, defaults = {}) {
   for (const d in defaults) {
+    if (d === "__proto__" || d === "constructor") continue;
     if ([undefined, null].includes(cfg[d])) {
       cfg[d] = defaults[d]
     } else if (typeof cfg[d] === 'object' && typeof defaults[d] === 'object') {
diff --git a/routes/index.js b/routes/index.js
index 3c3d213..66abeed 100644
--- a/routes/index.js
+++ b/routes/index.js
@@ -57,10 +57,8 @@ async function setup() {
     },
   ])
 
-  const sessionCfg = await Config.get('session')
-
   server.auth.strategy('session', 'cookie', {
-    cookie: sessionCfg.cookie,
+    cookie: httpCfg.cookie,
 
     validate: async (request, session) => {
       const s = await Session.get({ id: session.nt_user_session_id })