Access-Control-Allow-Origin: https://example.org
Access-Control-Allow-Credentials: true
set-cookie: foo=bar; Secure; HttpOnly