diff --git a/server/proxy.go b/server/proxy.go
index a2565c9..e603988 100755
--- a/server/proxy.go
+++ b/server/proxy.go
@@ -69,6 +69,8 @@ func (rp *redirPurge) RoundTrip(r *http.Request) (*http.Response, error) {
 	if loc := resp.Header.Get("Location"); loc != "" {
 		resp.Header.Set("Location", strings.Replace(loc, rp.targetHost, rp.proxyHost, 1))
 	}
+	// google floc https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+	resp.Header.Set("Permissions-Policy", "interest-cohort=()")
 	return resp, err
 }
 
diff --git a/server/server.go b/server/server.go
index 5b9a9ac..5c43963 100755
--- a/server/server.go
+++ b/server/server.go
@@ -115,6 +115,7 @@ func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 			panic(fmt.Sprintf("bad config for authelia url: %v", err))
 		}
 		url.Path = "/api/verify"
+		logb.Verbosef("authelia @ %s", url.String())
 		req, err := http.NewRequest(http.MethodGet, url.String(), nil)
 		if err != nil {
 			panic(err.Error())
@@ -134,11 +135,13 @@ func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 				"X-Forwarded-Uri":   r2.URL.String(),
 			} {
 				if _, ok := httpreq.Header[k]; !ok {
+					logb.Verbosef("authelia header setting %s:%s", k, v)
 					httpreq.Header.Set(k, v)
 				}
 			}
 		}
 		if cookie, err := r.Cookie("authelia_session"); err == nil {
+			logb.Verbosef("authelia session found in cookies; %+v", cookie)
 			req.AddCookie(cookie)
 		}
 		c := &http.Client{
@@ -149,6 +152,7 @@ func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 		}
 
 		autheliaKey := mapKey(req.Host)
+		logb.Verbosef("request to %s is authelia %s? %v", r.Host, autheliaKey, strings.HasPrefix(r.Host, autheliaKey))
 		if strings.HasPrefix(r.Host, autheliaKey) {
 			logb.Debugf("no authelia for %s because it has prefix %s", r.Host, autheliaKey)
 			foo(w, r)
@@ -176,13 +180,13 @@ func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 						Name:     k,
 						Value:    resp.Header.Get(k),
 						Path:     "/",
-						Domain:   r2.Host,
 						SameSite: http.SameSiteLaxMode,
-						Secure:   true,
-						HttpOnly: true,
 						Expires:  time.Now().Add(24 * time.Hour * 30),
 					}
+					logb.Verbosef("setting authelia cookie in response: %+v", cookie)
 					http.SetCookie(w, cookie)
+					logb.Verbosef("setting authelia cookie in request: %+v", cookie)
+					r.AddCookie(cookie)
 				}
 			}
 			foo(w, r)
@@ -192,6 +196,7 @@ func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 		q := url.Query()
 		q.Set("rd", r2.URL.String())
 		url.RawQuery = q.Encode()
+		logb.Verbosef("authelia status %d, rd'ing %s", resp.StatusCode, url.String())
 		http.Redirect(w, r, url.String(), http.StatusFound)
 	}
 }
@@ -268,8 +273,10 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 		if s.auth.BOAuthZ {
+			logb.Verbosef("doing boauthz for request to %s", r.URL.String())
 			s.doBOAuthZ(foo)(w, r)
 		} else if s.auth.Authelia {
+			logb.Verbosef("doing authelia for request to %s", r.URL.String())
 			s.doAuthelia(foo)(w, r)
 		} else {
 			foo(w, r)