Ok that makes sense, that is essentially what I thought. Here is my golang handler: ```golang func (h *AuthHandler) VerifyOTP(w http.ResponseWriter, r *http.Request) { var input services.VerifyOTPInput if err := json.NewDecoder(r.Body).Decode(&input); err != nil { h.logger.Error("failed to decode request", "error", err) errs.WriteBadRequest(w, err.Error()) return } token, err := h.authService.VerifyOTP(r.Context(), &input) if err != nil { var validationErr *services.ValidationError if errors.As(err, &validationErr) { writeValidationError(w, h.logger, validationErr) return } h.logger.Error("failed to verify OTP", "error", err) errs.WriteInternalError(w, err) return } // Set session cookie sameSite := http.SameSiteStrictMode cookie := &http.Cookie{ Name: "wyer_session", Value: token, Path: "/", Expires: time.Now().Add(30 * 24 * time.Hour), } if h.cfg.Env == "dev" { sameSite = http.SameSiteLaxMode cookie.HttpOnly = false cookie.Secure = false // Explicitly omit Domain for localhost h.logger.Info("setting development cookie config", "sameSite", sameSite, "httpOnly", cookie.HttpOnly, "secure", cookie.Secure, "domain", cookie.Domain) } else { cookie.HttpOnly = true cookie.Secure = true cookie.Domain = h.cfg.Domain h.logger.Info("setting production cookie config", "sameSite", sameSite, "httpOnly", cookie.HttpOnly, "secure", cookie.Secure, "domain", cookie.Domain) } cookie.SameSite = sameSite http.SetCookie(w, cookie) h.logger.Info("response headers", "vary", w.Header().Get("Vary"), "cache-control", w.Header().Get("Cache-Control"), "content-type", w.Header().Get("Content-Type")) w.Header().Add("Vary", "Cookie") w.Header().Add("Cache-Control", `no-cache="Set-Cookie"`) w.Header().Set("Content-Type", "application/json") w.Header().Set("Access-Control-Allow-Credentials", "true") w.Header().Set("Access-Control-Allow-Origin", "http://localhost:3000") // Set status before writing response w.WriteHeader(http.StatusOK) encodeJSON(w, h.logger, token) } ```