Cookie not set with Node + Express + Nginx

Question

I have a Node app using Express, and I try to set a cookie to my client. It works well on local environment (http). But once I put in production (https), I receive well the cookie (I can see it in the response), but it is not set. Any idea?

Nginx conf:

http {
  include mime.types;
  default_type application/octet-stream;
  sendfile on;
  keepalive_timeout 65;
  gzip on;

  server {
    listen 443 ssl default_server;
    listen [::]:443 default_server;
    server_name back.domain.com;

    ssl_certificate  /etc/letsencrypt/.../fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/.../privkey.pem;

    location / {
        proxy_pass http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
  }
}

Node app:

const api = express()

api.enable('trust proxy')
api.use(cors({origin: 'https://front.domain.com', credentials: true}))

api.post('/login', (req, res) => {
  // validate credentials and generate token
  // set expires to 24h

  res
    .cookie('token', token, {expires, httpOnly: true, secure: true})
    .sendStatus(204)
})

Front:

// I use the axios lib
axios({
  baseURL: 'https://back.domain.com',
  url: '/login',
  withCredentials: true,
  method: 'POST'
}

Answer 1

Another possible reason for cookies not being set is having option:

secure: true

when protocol is http (not secure) instead of https.