diff --git a/src/Controller/AskSseController.php b/src/Controller/AskSseController.php
index 245079b..866f799 100644
--- a/src/Controller/AskSseController.php
+++ b/src/Controller/AskSseController.php
@@ -52,6 +52,7 @@ final readonly class AskSseController
 
                 if ($prompt === '') {
                     $this->sendEvent('error', 'Empty prompt');
+                    $this->sendEvent('done', '[DONE]');
                     return;
                 }
 
@@ -63,11 +64,12 @@ final readonly class AskSseController
                         $chunk = str_replace(["\r\n", "\r"], "\n", $chunk);
                         $this->sendData($chunk);
                     }
-
-                    $this->sendEvent('done', '[DONE]');
                 } catch (\Throwable $e) {
-                    $this->sendData('<span class="text-danger">❌ Stream abgebrochen: ' . $e->getMessage() . '</span>');
-                    $this->sendEvent('done', '[DONE]');
+                    $this->sendData(
+                        '<span class="text-danger">❌ Stream abgebrochen: '
+                        . htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')
+                        . '</span>'
+                    );
                 }
 
                 // ---------------------------------------------------------
diff --git a/src/Http/ClientIdResolver.php b/src/Http/ClientIdResolver.php
index 8558354..9f167d9 100644
--- a/src/Http/ClientIdResolver.php
+++ b/src/Http/ClientIdResolver.php
@@ -35,7 +35,7 @@ final class ClientIdResolver
                 value: $clientId,
                 expire: strtotime('+1 year'),
                 path: '/',
-                secure: false,   // set true in production with HTTPS
+                secure: true,   // set true in production with HTTPS
                 httpOnly: true,
                 sameSite: Cookie::SAMESITE_LAX
             )