Missing Set-Cookie in Response from Cloudflare Proxy

My client is making an API request through a Cloudflare proxy, but when the server sends a ‘set-cookie’ in the response, it appears to be missing when received from Cloudflare. Below are the headers from both the proxy and the backend. Could you help understand why the ‘set-cookie’ header is missing in the response from Cloudflare?

Response header Cloudflare:

 access-control-allow-origin: * 
 alt-svc: h3=":443"; ma=86400 
 cf-cache-status: DYNAMIC 
 cf-ray: 88d6f9d75ac9bb97-FRA 
 content-encoding: br 
 content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests 
 content-type: application/json; charset=utf-8 
 cross-origin-opener-policy: same-origin 
 cross-origin-resource-policy: same-origin 
 date: Sun,02 Jun 2024 11:06:46 GMT 
 etag: W/"4f-IEKjhO7rMIC5URWvFSzqW+0be0w" 
 nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} 
 origin-agent-cluster: ?1 
 referrer-policy: no-referrer 
 report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H0TU3bBLJMstcfhJr4RCtGF532DAw0Tzs5%2BpQVW%2BWzPqsAbtkgG8BkTbV91sqTte7p6ZEI5kfQhqAdLiB2qbgF0%2FUYKN9qrXJFwLUasarNe%2BTMc20PJiEnhV8AYSF2rHWxSF"}],"group":"cf-nel","max_age":604800} 
 server: cloudflare 
 strict-transport-security: max-age=15552000; includeSubDomains 
 x-content-type-options: nosniff 
 x-dns-prefetch-control: off 
 x-download-options: noopen 
 x-frame-options: DENY 
 x-permitted-cross-domain-policies: none 
 x-ratelimit-limit: 150 
 x-ratelimit-remaining: 148 
 x-ratelimit-reset: 1717327295 
 x-xss-protection: 0 

Response headers Backend server

[Symbol(kOutHeaders)]: [Object: null prototype] {
    'x-ratelimit-limit': [ 'X-RateLimit-Limit', '150' ],
    'x-ratelimit-remaining': [ 'X-RateLimit-Remaining', '148' ],
    date: [ 'Date', 'Sun, 02 Jun 2024 11:06:46 GMT' ],
    'x-ratelimit-reset': [ 'X-RateLimit-Reset', '1717327295' ],
    'content-security-policy': [
      'Content-Security-Policy',
      "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"
    ],
    'cross-origin-opener-policy': [ 'Cross-Origin-Opener-Policy', 'same-origin' ],
    'cross-origin-resource-policy': [ 'Cross-Origin-Resource-Policy', 'same-origin' ],
    'origin-agent-cluster': [ 'Origin-Agent-Cluster', '?1' ],
    'referrer-policy': [ 'Referrer-Policy', 'no-referrer' ],
    'strict-transport-security': [
      'Strict-Transport-Security',
      'max-age=15552000; includeSubDomains'
    ],
    'x-content-type-options': [ 'X-Content-Type-Options', 'nosniff' ],
    'x-dns-prefetch-control': [ 'X-DNS-Prefetch-Control', 'off' ],
    'x-download-options': [ 'X-Download-Options', 'noopen' ],
    'x-frame-options': [ 'X-Frame-Options', 'DENY' ],
    'x-permitted-cross-domain-policies': [ 'X-Permitted-Cross-Domain-Policies', 'none' ],
    'x-xss-protection': [ 'X-XSS-Protection', '0' ],
    'access-control-allow-origin': [ 'Access-Control-Allow-Origin', '*' ],
    'set-cookie': [
      'Set-Cookie',
      'accessToken=eyJhb....; Max-Age=900; Path=/; Expires=Sun, 02 Jun 2024 11:21:46 GMT; HttpOnly; Secure'
    ]

The problem was on the client side, not related to cloudflare.

But just in case I added headers on the server side:

Access-Control-Allow-Origin https://example.org
Access-Control-Allow-Credentials true

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.