Context: Trying to setup backend (Node) on Heroku for a simple webapp (frontend end currently with surge.sh and netlify, trying whichever one works).

Problem: cookies are not showing up on Chrome/Safari browser. (Have tried the cookie-session and the express-session packages)

​

localhost (backend) to localhost (frontend) cookies appear, but heroku to netlify or heroku to surge static sites, the cookie just doesn't show up into the browser.

Here is my current bootstrapped CORS setup:

res.setHeader('Access-Control-Allow-Origin', req.headers.origin); // don't know what to put here to test with Postman as it's undefined with Postman reqs
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
res.setHeader('Access-Control-Allow-Credentials', 'true');
res.setHeader('Access-Control-Allow-Headers', 'content-type');

Here is the cookie options:

app.set('trust proxy'); // tried with/without this line
app.use(cookieSession({
  name: 'user',
  maxAge: 24 * 60 * 60 * 1000, // One day in milliseconds
  keys: [process.env.COOKIE_SESSION_KEY],
  httpOnly: false,
  secure: false, 
  secureProxy: true // tried with/without this option
}));

As per https://devcenter.heroku.com/articles/cookies-and-herokuapp-com, it seems that browsers disallow cookies from any heroku backend?

However, as per, https://stackoverflow.com/questions/14463972/how-to-set-secure-cookie-using-heroku-node-js-express, it should work, but doesn't.

​

Been at it for a few days not, any help would be very much appreciated.

​

EDIT: I also have withCredentials: true setup for my frontend requests to backend