Cookies setup for Express on Heroku with Cloudflare

Hello everyone, i’m new and i’m trying to setup our white labelled app on cloudflare for a client which had already bought a domain here, i’m having a hard time configuring the cookies. My session cookie is not setting on the frontend. This setup works on domains for which I just set the DNS to point to Heroku, with Heroku’s automatic certificate management (ACM).

For both CNAME records added, the proxy status is “proxied”.
The SSL/TLS encryption mode is Full.

Here’s a visualization of the stack :
Express backend on Heroku → Cf --><-- Cf ← Nextjs (node) frontend on Heroku

Express backend main excerpt

const main = async () => {

  /... some code skipped .../

  const app = express();

  const RedisStore = connectRedis(session);

  const redisClient = redis.createClient(process.env.REDIS_URL);

  app.set('trust proxy', 2);
      origin: process.env.CORS_ORIGIN,
      credentials: true,
      exposedHeaders: ['Authorization']

  const getSessionOptions = (): SessionOptions => {
    let cookieOptions: CookieOptions;
    if (__prod__) {
      cookieOptions = {
        httpOnly: true,
        //10 years
        maxAge: 315360000000,
        //Allow only https
        secure: true,
        sameSite: true,
        domain: process.env.COOKIE_DOMAIN
    } else {
      cookieOptions = {
        //No access to cookie from javascript
        httpOnly: true,
        //Allow only https
        secure: false,
        sameSite: true

    return {
      name: COOKIE_NAME,
      store: new RedisStore({ client: redisClient, disableTouch: true }),
      cookie: cookieOptions,
      saveUninitialized: false,
      secret: process.env.SESSION_SECRET,
      resave: false,
      proxy: true

NextJs frontend

export const createClient: (ctx: NextPageContext) => any = (ctx) => {
  return new ApolloClient({
    uri: process.env.NEXT_PUBLIC_API_URL as string,
    credentials: 'include',
    connectToDevTools: true,
    headers: {
      cookie: (isServer() ? ctx?.req?.headers.cookie : undefined) || ''
//.. rest is skipped

So far I tried playing with app.set('trust proxy', 1) with 1 to 4, true without success.

Are you able to see a problem with this setup?
Am I missing a step in the setup (on the dashboard for example)?

Please let me know if I can provide more information, thank you for your precious help!

@MoreHelp please :’/

The problem was the cookie domain.

In my initial setup, we were using :

I changed the cookie domain var to “” to fix the problem