Is Serverless modifying headers?

I have a simple Serverless setup:

service: service-lambda

provider:
  name: aws
  runtime: nodejs8.10

plugins:
  - serverless-offline

functions:
  index:
    handler: index.handler
    events:
    - http: ANY /
    - http: 'ANY /{proxy+}'

And I have a simple express app set up with the following:

const serverless = require('serverless-http');
const app = require('./app');

module.exports.handler = serverless(app);

If I set up multiple cookies on the response like so:

res.cookie('ocid', ocid);
res.cookie('ouid', ouid);
res.cookie('accessToken', rawToken.access_token);

I can see them in the reponse when it’s logged:

Serverless: [200] {"isBase64Encoded":false,"statusCode":200,"headers":{"set-cookie":"oscp=openid; Path=/","Set-cookie":"ocid=0oaghi5emxJaZojD90h7; Path=/","sEt-cookie":"ouid=00ufev7ma0qtC3pep0h7; Path=/","content-type":"text/html; charset=utf-8","content-length":"1418","etag":"W/\"58a-tSuaf83CEXA+voyLjRzOM+TL3xE\""},"body":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">\n <link rel=\"stylesheet\" href=\"https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css\" integrity=\"sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO\" crossorigin=\"anonymous\">\n <title>more than one</title>\n</head>\n<body>\n<div class=\"container-fluid\">\n <div class=\"card\">\n <div class=\"card-header border\">\n <div>TEST AUTHENTICATION</div>\n </div>\n <div class=\"card-body\">\n <div>Query Code: _BdUehDafYHfUnHm_P-k</div>\n <div>Query state:state-cece5edc-80a2-4582-8447-2609c7942acd</div>\n <div><a href=\"/\">Go Home</a></div>\n </div>\n </div>\n</div>\n<script src=\"https://code.jquery.com/jquery-3.3.1.slim.min.js\" integrity=\"sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo\" crossorigin=\"anonymous\"></script>\n<script src=\"https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js\" integrity=\"sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49\" crossorigin=\"anonymous\"></script>\n<script src=\"https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js\" integrity=\"sha384-ChfqqxuZUCnJSK3+MXmPNIyE6ZbWh2IMqE241rYiqJxyMiZ6OW/JmZQ5stwEULTy\" crossorigin=\"anonymous\"></script>\n</body>\n"}

But only one cookie is available in the browser and it’s the last one.

Any idea what is going on here?

Also, I’m seeing this behavior when running the application via serverless-offline.