Thank you both @KenWhitesell && @CodenameTim for taking a time to help me with my problem!
@CodenameTim your pointer to set CSRF_COOKIE_DOMAIN finally did a trick in my prod environment, since dev is slightly different(no nginx) it’s not working yet but will investigate it later, at least i know it’s doable.
Bellow settings that worked for me:
ALLOWED_HOSTS = ["." + os.environ.get("DOMAIN_NAME")]
CORS_ALLOWED_ORIGIN_REGEXES = [r"https://\w+\.".format(os.environ.get("DOMAIN_NAME"))]
CORS_ALLOW_CREDENTIALS = True
CSRF_COOKIE_HTTPONLY = False
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_DOMAIN = os.environ.get("DOMAIN_NAME")
CSRF_TRUSTED_ORIGINS = [
"https://*." + os.environ.get("DOMAIN_NAME"),
]
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_DOMAIN = os.environ.get("DOMAIN_NAME")
SESSION_COOKIE_HTTPONLY = True