diff --git a/portfolios/views.py b/portfolios/views.py
index a7a2e08..00d33ed 100644
--- a/portfolios/views.py
+++ b/portfolios/views.py
@@ -77,8 +77,11 @@ class PortfolioChangeState(APIView):
         portfolio = get_object_or_404(Portfolio, pk=pk)
         user = request.user
         action_type = request.query_params.get('type')
-        if PortfolioBeforeRelCheckService.check_user_portfolio_rel(action_type, portfolio, user):
-            return Response({"message": "already done"}, status=status.HTTP_400_BAD_REQUEST)
+        try:
+            if PortfolioBeforeRelCheckService.check_user_portfolio_rel(action_type, portfolio, user):
+                return Response({"message": "already done"}, status=status.HTTP_400_BAD_REQUEST)
+        except ValueError as e:
+            return Response({'message': str(e)}, status=status.HTTP_400_BAD_REQUEST)
         return self._handle_action(action_type, portfolio, user, add=True)
 
     @transaction.atomic
@@ -86,8 +89,11 @@ class PortfolioChangeState(APIView):
         portfolio = get_object_or_404(Portfolio, pk=pk)
         user = request.user
         action_type = request.query_params.get('type')
-        if not PortfolioBeforeRelCheckService.check_user_portfolio_rel(action_type, portfolio, user):
-            return Response({"message": "never done before"}, status=status.HTTP_400_BAD_REQUEST)
+        try:
+            if not PortfolioBeforeRelCheckService.check_user_portfolio_rel(action_type, portfolio, user):
+                return Response({"message": "never done before"}, status=status.HTTP_400_BAD_REQUEST)
+        except ValueError as e:
+            return Response({'message': str(e)}, status=status.HTTP_400_BAD_REQUEST)
         return self._handle_action(action_type, portfolio, user, add=False)
 
     def _handle_action(self, action_type, portfolio, user, add=True):
diff --git a/users/views.py b/users/views.py
index 0d5d232..b70013f 100644
--- a/users/views.py
+++ b/users/views.py
@@ -1,3 +1,5 @@
+from django.conf import settings
+
 from django.shortcuts import get_object_or_404
 
 from rest_framework.views import APIView
@@ -28,7 +30,7 @@ class RefreshAPIView(APIView):
             serializer = TokenRefreshSerializer(data={'refresh': refresh})
             if serializer.is_valid():
                 res = Response({"access": serializer.validated_data['access']}, status=status.HTTP_200_OK)
-            res.set_cookie("refresh", serializer.validated_data['refresh'], httponly=True, samesite="Lax", secure=True)
+            res.set_cookie("refresh", serializer.validated_data['refresh'], httponly=True, samesite="Lax", secure=not settings.DEBUG)
             return res
         except TokenError as e:
             return Response({"message": f"Invalid token: {e}"}, status=status.HTTP_401_UNAUTHORIZED)
@@ -75,7 +77,7 @@ class LoginAPIView(APIView):
                     },
                     status=status.HTTP_200_OK,
                 )
-                res.set_cookie("refresh", serializer.validated_data['refresh'], httponly=True, samesite="Lax", secure=True)
+                res.set_cookie("refresh", serializer.validated_data['refresh'], httponly=True, samesite="Lax", secure=not settings.DEBUG)
                 return res
             else:
                 return Response(serializer.errors)