Cookies set (intentionally insecure)

Look at Set-Cookie headers — none have HttpOnly + SameSite + Secure all set.