To set cookies on the localhost, either have a self signed cert setup (see refs), or exclude the 'secure', and 'sameSite' directives.
- Be aware of:
- forbidden headers
- These are headers that are instrumented by the client/server and that cannot be set or modified.
- safelisted headers (simple response headers)
- forbidden headers
⚠️ Ensure the withCredentials XHR property is set on the server to allow cross-origin requests to set cookies. Or, if using fetch(), set credentials: "include"
- must have at least two periods (.) or clients will treat it as invalid.
- 🚩 the leading period sometimes seen in documentation exists only to support old browsers. Modern browsers, if the domain directive is included, will make a cookie available to the domain and all subdomains.
⚠️ to set a cookie only for a specific domain and not subdomains, exclude the 'domain' directive.