The CSRF filter can be configured in the web-client-security-config.xml file, which is located in the alfresco.war file. In most cases the only thing that needs to be modified is a regular expression that checks the Origin and Referer headers. This regular expression can be configured using the alfresco-global.properties file. The property configuration then overrides the values in web-client-security-config.xml. The following is an example configuration where Alfresco Content Services runs on the mydomain.com host and port 80:
# CSRF filter overrides csrf.filter.enabled=true csrf.filter.referer=https://mydomain.com/*. csrf.filter.referer.always=false csrf.filter.origin=https://mydomain.com csrf.filter.origin.always=false
The Origin header will be present in HTTP requests that originate from an HTTPS URL and it will tell you from where the application (such as an ADF application) was loaded. If a non-standard port is used, such as 8443, then you'll have to include the port number, such as https://mydomain.com:8443/. If the Origin header is present, then it's checked to make sure it matches the target origin (csrf.filter.origin). If the Origin header isn't present, verify that the hostname in the Referer header matches the target origin (that is, csrf.filter.referer).
The csrf.filter.origin.always property is a boolean that controls whether the referer/origin header must be present when validated. Some browsers don't set referer due to privacy issues. Some old browsers don't set origin.
To disable the CSRF filter all together set the csrf.filter.enabled property to false.