I am using Django to return a cookie in a response via set_cookie:

response.set_cookie(
  key = settings.SIMPLE_JWT['AUTH_COOKIE'],
  value = data["refresh"],
  expires = settings.SIMPLE_JWT['REFRESH_TOKEN_LIFETIME'],
  path = settings.SIMPLE_JWT['AUTH_COOKIE_PATH'],
  secure = settings.SIMPLE_JWT['AUTH_COOKIE_SECURE'],
  httponly = settings.SIMPLE_JWT['AUTH_COOKIE_HTTP_ONLY'],
  samesite = settings.SIMPLE_JWT['AUTH_COOKIE_SAMESITE'],
)

where the values are:

SIMPLE_JWT = {
  'ACCESS_TOKEN_LIFETIME': timedelta(minutes=5),
  'REFRESH_TOKEN_LIFETIME': timedelta(days=1),

  ...

  'AUTH_COOKIE': 'refresh_token',
  'AUTH_COOKIE_SECURE': False,
  'AUTH_COOKIE_HTTP_ONLY' : True,
  'AUTH_COOKIE_PATH': '/',
  'AUTH_COOKIE_SAMESITE': 'Lax',
}

CORS is all set up correctly. I am also sending withCredentials: true, in my axios requests correctly.

My problem is that when I test in development (i.e. Frontend hosted at http://127.0.0.1:3000/ and Backend hosted on http://127.0.0.1:8000/) the system works (i.e. the cookie gets set). However, when I use ngrok to tunnel my backend to a secure url, nothing works. I still get the set-cookie headers in my response, so I am receiving the cookies - it's just not setting them. Also, I am on Safari (since I know Chrome has an issue with setting cookies due to requiring values for samesite and secure).

This is my response: here

Any help would be greatly appreciated. Thank you!