The 'jwt' cookie should have 'Secure' set to 'true'.