Client side cookie not being sent to server

System Information
  • Strapi Version: 3.6.2
  • Operating System: Ubuntu 20.04
  • Database: PostgreSQL
  • Node Version: 14.16.0
  • NPM Version: 7.12.0
  • Yarn Version: 1.22.10

Hi,

My goal is to set a cookie (secure, samesite=“lax”) from a custom component in the admin panel so it is sent with every request to the strapi api via the content-manager. The cookie holds some admin user preferences that I would like to be read by a custom policy in the backend.

In my staging environment, where I serve both the strapi API and admin UI from the same domain (my-app.example.com), I can do the above succesfully.

However in production, when I serve the strapi API at https://api.example.com, and serve the Admin UI from netlify at https://admin.example.com the cookie is set but it isn’t sent with requests made via the content-manager. Also requests made via a local plugin using axios, send the cookie successfully.

I’ve set the cookie domain to “example.com” and also tried “.example.com” but to no avail.

I’m using nginx as a reverse proxy in-front of the strapi app. Also, I’m using Cloudflare DNS to proxy my api server.

Does anyone have any idea what’s going on?

Here is my server.js in production:

module.exports = ({ env }) => ({
  host: env("HOST", "0.0.0.0"),
  port: env.int("PORT", 1337),
  proxy: true,
  url: env("API_URL", "https://api.example.com"),
  admin: {
    auth: {
      secret: env("ADMIN_JWT_SECRET","53cr3t"),
    },
    url: env("ADMIN_FRONTEND_URL", "https://admin.example.com"),
    serveAdminPanel: false,
    watchIgnoreFiles: ["**/todos/**"],
  },
  cron: {
    enabled: true,
  },
});

And here is my middleware.js:

module.exports = ({ env }) => ({
  settings: {
    cors: {
      origin: [
        "https://admin.example.com"
      ],
      headers: [
        "Content-Type",
        "Authorization",
        "X-Frame-Options",
        "X-SLABS-LOCATIONS",
      ],
      credentials: true,
      expose: ["WWW-Authenticate", "Server-Authorization", "X-SLABS-LOCATIONS"],
    },
    parser: {
      enabled: true,
      includeUnparsed: true,
    },
    cache: {
      enabled: true,
      type: "redis",
      maxAge: 3600000,
      redisConfig: {
        host: env("REDIS_HOST", "0.0.0.0"),
        port: env("REDIS_PORT", 6379),
      },
      models: [
        "booked-treatments",
        "booking-statuses",
        "customers",
        "opening-hours",
        "provided-treatments",
        "locations",
        "session-types",
        "timeslot-statuses",
        {
          model: "public/locations",
        },
      ],
      enableEtagSupport: true,
      populateContext: true,
    },
    "upload-plugin-cache": {
      enabled: true,
      maxAge: 86400000,
      dynamic: true,
      lruCache: {
        max: 1000,
      },
    },
  },
});