My alfresco application is working as expected. But my security guy has found out that the alfresco site is has CSRF vulnerable. Our application is configured using CAS for login and works through proxy server. I did not Specifically configure CSRF filter. Please help me fix this CSRF vulnerable.
So in your tomcat folder of your installation go to the following path shared/classes/alfresco/web-extension/ and you should find a shared-config-custom.xml. In this file you should copy the section I mentionned in my earlier reply (<config evaluator="string-compare" condition="CSRFPolicy"> ).
The origin and referer should be the dns of your server if the share and alfresco applications are deployed on the same server.
More information on origin and referer in http request:
I did change the "The origin and referer should be the dns of your server" in shared-config-custom.xml it still did not work. Still my Alfresco-CSRFToken cookie is not set to secure and Httponly in the firefox firebug cookie column.