credentials: 'include' and CORS: no wildcards, tight rules

Access-Control-Allow-Credentials must be true and paired with a specific Allow-Origin value.

SameSite=None; Secure cookies need HTTPS and thoughtful CSRF defenses on mutating verbs.

Forwarding Authorization to upstream should be an explicit toggle—never implicit in a multi-tenant proxy.

Strip Set-Cookie from upstream if browsers should not receive session fixation risks.