How to make the AntiforgeryToken As Secure in ASP.net MVC

Question

Recently I have a requirement that to make the Antiforgerytoken which is getting created by ASP.net MVC to make it secure

Basically Anti forgery token is a cookie in browser with name _RequestVerificationToken , want to make this as secure

I Already tried

<compilation debug="true" targetFramework="4.5.2" />
    <httpRuntime targetFramework="4.5.2" />
    <authentication mode="Windows" />
    <identity impersonate="false" />
    <pages controlRenderingCompatibilityVersion="4.0" />
<httpCookies requireSSL="true" httpOnlyCookies="true"/>

But its not making the token as secure and httpOnly

if any one can help here , please

made the whole site hosted on Https too

Answer 1

For when you are getting your chops busted by a security manager who has a vendor report saying that this cookie is not secure, try adding this to Startup.cs ConfigureServices

services.AddAntiforgery(options =>
{
    options.FormFieldName = "AntiforgeryFieldname";
    options.HeaderName = "X-CSRF-TOKEN-HEADERNAME";
    options.SuppressXFrameOptionsHeader = false;
    options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
});

Refs https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1 & https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookiesecurepolicy?view=aspnetcore-3.1