These tend to manifest themselves when you have mixed content on the page or you're using CORS. For CORS the issues can surface due to running different rules for dev vs prod/stg.

HTTP/2 quirks, e.g. header capitalization.

I think I've seen some different cache behaviors.

Secure cookies (and maybe same/cross site stuff?)