Hi

As far as I know all the configuration you need for CRSF is in the share-security-config.xml. You will find a section <config evaluator="string-compare" condition="CSRFPolicy">. 

You can copy the content in the share-custom-config.xml and change the multiple Referers ans Origins. 

Which version of alfresco you have? 

Source: Cross-Site Request Forgery (CSRF) filters | Alfresco Documentation 

This is the version I have seen in my alfresco readme file.

Contains:
 - Alfresco Platform: 5.2.g
 - Alfresco Share:  5.2.f

I have seen this document you sent me, but what should I change is the question I have modified the following

My issue here is to set the Alfresco-CSRFToken cookie to secure and Httponly.

So in your tomcat folder of your installation go to the following path shared/classes/alfresco/web-extension/ and you should find a shared-config-custom.xml. In this file you should copy the section I mentionned in my earlier reply (<config evaluator="string-compare" condition="CSRFPolicy"> ).

The origin and referer should be the dns of your server if the share and alfresco applications are deployed on the same server.

More information on origin and referer in http request:

Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP 

Otherwise ask your security guy what you should put as values. Then you need to restart tomcat and he can check directly.

Hi Simon,

               I did change the "The origin and referer should be the dns of your server" in shared-config-custom.xml it still did not work. Still my Alfresco-CSRFToken cookie is not set to secure and Httponly in the firefox firebug cookie column.

Hi @bhargav_vempall did you find how to set cookie to httpOnly flag. If u have done please help me in doing the same.

Waiting for your reply.