Rails, CSRF, activerecord-session_store and site

I’m a CloudFlare user running a site with Rails (5.0.7.2) using activerecord-session_store for session management. I’ve been having issues with the CSRF token. When a user signs up for the site, the origin server (at Heroku) should return cookies to set in the browser. The heroku server is returning cookie information in headers, but those headers not being sent to the browser client. Do I need to use a worker to explicitly set session cookies on the browser end, or is there a Page Rule I can use to confirm that cookies from the origin server make it to the client.

If there’s any more information needed, please let me know. Thanks.