diff --git a/deploy/dev/test_all_apis.py b/deploy/dev/test_all_apis.py
index 71e5ddf..d313241 100644
--- a/deploy/dev/test_all_apis.py
+++ b/deploy/dev/test_all_apis.py
@@ -56,7 +56,11 @@ class Session:
     """Minimal cookie-aware HTTP session using stdlib only."""
 
     def __init__(self):
-        self.cookie_jar = http.cookiejar.CookieJar()
+        self.cookie_jar = http.cookiejar.CookieJar(
+            policy=http.cookiejar.DefaultCookiePolicy(
+                secure_protocols=("https", "http")
+            )
+        )
         self.opener = urllib.request.build_opener(
             urllib.request.HTTPCookieProcessor(self.cookie_jar)
         )
@@ -107,7 +111,7 @@ class Session:
         return self.request("DELETE", url, **kw)
 
     def csrf_headers(self):
-        token = self.get_cookie("XSRF-TOKEN")
+        token = self.get_cookie("__Host-XSRF-TOKEN")
         return {"xsrf-token": token} if token else {}
 
 
@@ -134,8 +138,8 @@ def phase0_health(s: Session):
     print("\n=== Phase 0: Health & CSRF ===")
     code, body, hdrs = s.get(f"{GATEWAY}/healthz")
     report("GET /healthz", code, body)
-    xsrf = s.get_cookie("XSRF-TOKEN")
-    xsrf_guard = s.get_cookie("XSRF-GUARD")
+    xsrf = s.get_cookie("__Host-XSRF-TOKEN")
+    xsrf_guard = s.get_cookie("__Host-XSRF-GUARD")
     print(f"  XSRF-TOKEN: {xsrf}")
     print(f"  XSRF-GUARD: {xsrf_guard}")
     if not xsrf: