https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20211#M8956 <P>Hi <A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/7593">@bhargav_vempall</A> did you find how to set cookie to httpOnly flag. If u have done please help me in doing the same.</P><P>Waiting for your reply.</P> Thu, 13 Aug 2020 11:06:32 GMT akash251998 2020-08-13T11:06:32Z https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20206#M8951 Hi,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;My alfresco application&nbsp;is working as expected.&nbsp;But my security guy has found&nbsp;out that the alfresco site is&nbsp;has CSRF&nbsp;vulnerable.&nbsp;Our application is configured using CAS&nbsp;for login and&nbsp;works through proxy server. I did not Specifically configure CSRF filter.&nbsp;Please&nbsp;help me&nbsp;fix this CSRF vulne Mon, 13 Nov 2017 18:55:15 GMT https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20206#M8951 bhargav_vempall 2017-11-13T18:55:15Z https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20207#M8952 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>As far as I know all the configuration you need for CRSF is in the&nbsp;<SPAN style="font-family: 'courier new', courier, monospace;">share-security-config.xml.&nbsp;</SPAN>You will find a section&nbsp;<SPAN style="font-family: 'courier new', courier, monospace;">&lt;config evaluator="string-compare" condition="CSRFPolicy"&gt;.&nbsp;</SPAN></P><P>You can copy the content in the <SPAN style="font-family: 'courier new', courier, monospace;">share-custom-config.xml </SPAN>and change the multiple Referers ans Origins.&nbsp;</P><P></P><P>Which version of alfresco you have?&nbsp;</P><P></P><P>Source:&nbsp;<A class="link-titled" href="http://docs.alfresco.com/5.2/concepts/csrf-policy.html" title="http://docs.alfresco.com/5.2/concepts/csrf-policy.html" rel="nofollow noopener noreferrer">Cross-Site Request Forgery (CSRF) filters | Alfresco Documentation</A>&nbsp;</P></BODY></HTML> Tue, 14 Nov 2017 07:52:48 GMT https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20207#M8952 gluck113 2017-11-14T07:52:48Z https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20208#M8953 <HTML><HEAD></HEAD><BODY><P>This is the version I have seen in my alfresco readme file.</P><P>Contains:<BR />&nbsp;- Alfresco Platform:&nbsp;5.2.g<BR />&nbsp;- Alfresco Share:&nbsp;&nbsp;5.2.f</P><P></P><P>I have seen this document you sent me, but what should I change is the question I have modified the following</P><P><STRONG>&nbsp;</STRONG></P><P><STRONG>My issue here is to set the Alfresco-CSRFToken cookie to secure and Httponly.</STRONG></P></BODY></HTML> Tue, 14 Nov 2017 15:05:09 GMT https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20208#M8953 bhargav_vempall 2017-11-14T15:05:09Z https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20209#M8954 <HTML><HEAD></HEAD><BODY><P>So in your tomcat folder of your installation go to the following path <SPAN class="">shared/classes/alfresco/web-extension/ </SPAN>and you should find a shared-config-custom.xml. In this file you should copy the section I mentionned in my earlier reply (<SPAN style="font-family: 'courier new', courier, monospace;">&lt;config evaluator="string-compare" condition="CSRFPolicy"&gt;</SPAN> ).</P><P>The origin and referer should be the dns of your server if the share and alfresco applications are deployed on the same server.</P><P></P><P>More information on origin and referer in http request:</P><P><A class="link-titled" href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_the_Origin_Header" title="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_the_Origin_Header" rel="nofollow noopener noreferrer">Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - OWASP</A>&nbsp;</P><P>Otherwise ask your security guy what you should put as values. Then you need to restart tomcat and he can check directly.</P></BODY></HTML> Wed, 15 Nov 2017 20:33:58 GMT https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20209#M8954 gluck113 2017-11-15T20:33:58Z https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20210#M8955 <HTML><HEAD></HEAD><BODY><P>Hi Simon,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I did change the "The origin and referer should be the dns of your server" in shared-config-custom.xml it still did not work. Still my <STRONG>Alfresco-CSRFToken cookie is not set to secure and Httponly in the firefox firebug cookie column. </STRONG></P></BODY></HTML> Wed, 15 Nov 2017 21:07:56 GMT https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20210#M8955 bhargav_vempall 2017-11-15T21:07:56Z https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20211#M8956 <P>Hi <A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/7593">@bhargav_vempall</A> did you find how to set cookie to httpOnly flag. If u have done please help me in doing the same.</P><P>Waiting for your reply.</P> Thu, 13 Aug 2020 11:06:32 GMT https://connect.hyland.com/t5/alfresco-forum/enable-alfresco-csrf-token-in-alfresco/m-p/20211#M8956 akash251998 2020-08-13T11:06:32Z