Multiple Set-Cookie headers collapsed on Appwrite Deploy (Next.js 15) — only 1 cookie set

I’m deploying a Next.js 15 app to Appwrite → Deploy → Sites. In app/api/auth/login/route.ts I try to set 3 cookies.

Variant A (manual headers):

const headers = new Headers(); headers.set("Content-Type", "application/json"); headers.set("Cache-Control", "no-store"); headers.set("Set-Cookie", sessionCookie); headers.append("Set-Cookie", teamCookie); headers.append("Set-Cookie", localeCookie);

return new Response(JSON.stringify({ ok: true }), { status: 200, headers });

Variant B (NextResponse API):

import { NextResponse } from "next/server";

export async function POST() { const res = NextResponse.json({ ok: true }, { headers: { "Cache-Control": "no-store" } }); res.cookies.set("a_session", "secret", { path: "/", httpOnly: true, sameSite: "lax", secure: true }); res.cookies.set("active_team_id", "team123", { path: "/", httpOnly: true, sameSite: "lax", secure: true }); res.cookies.set("NEXT_LOCALE", "en", { path: "/", sameSite: "lax", secure: true }); return res; }

Expected: Browser should receive three distinct Set-Cookie headers and store all 3.

Actual: On Appwrite Deploy, I only see one Set-Cookie in DevTools → Network → Response Headers (and only the last cookie is stored). On my own server (local/custom), all 3 Set-Cookie headers appear and all 3 cookies are stored.

What I tried:

headers.append("Set-Cookie", ...) with different orders

NextResponse.cookies.set(...) approach

Static hard-coded cookie values

Verified in DevTools: still only one Set-Cookie on Appwrite Deploy

Env:

Next.js 15 (App Router, Route Handlers)

Same-origin fetch (no CORS)

secure: true, SameSite=Lax, no domain specified

Works locally / custom server, issue only on Appwrite Deploy → Sites

Question: Is Appwrite Deploy’s proxy collapsing multiple Set-Cookie headers? What’s the recommended way to reliably set multiple cookies on Appwrite Deploy?

<@743532656767270934> <@186656408450629633> Can u help me? 😕

might be best to get <@287294735054274560> involved here, i do remember having some issues with cookies not being set correctly in sites, might be related?

Thanks <@743532656767270934>, I’ll wait for <@287294735054274560> — he might know what’s going on.

Are you self-hosting or on cloud?

<@462046107556511744> I’m on Appwrite Cloud. The issue only happens there. I tried on my own server and it works fine.

so i just tested on my svelte site and the 2 cookies I set are showing up as expected.

It also works on nextjs:

however, my code was slightly different than yours. I used Nextjs' cookies from next/headers:

import { NextResponse } from "next/server";
import { cookies } from 'next/headers'

export const runtime = "nodejs";

export async function GET(request) {
  const cookieStore = await cookies();
  const allCookies = cookieStore.getAll();

  console.log('All cookies:', allCookies);

  const visited = cookieStore.get('visited');

    console.log('visited:', visited);

  cookieStore.set('visited', 'true', { path: '/', httpOnly: true });
  cookieStore.set('another', 'true', { path: '/', httpOnly: true });

  return NextResponse.json(
    {
      status: "ok",
      cookies: allCookies,
    },
    {
      headers: {
        "Content-Type": "application/json",
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Methods": "POST, OPTIONS, GET",
        "Access-Control-Allow-Headers": "Content-Type, Authorization",
        "Access-Control-Allow-Credentials": "true"
      }
    },
  );
}