Server config causing CSRF triggers

Code can set a cookie any way it wants regardless of how a server is configured. If you're changing Apache defaults your code has to handle that. Personally I wouldn't configure the server and let the application decide how it should work. As long as the correct flags are set it doesn't matter which side does it but code gives you more flexibility.

I'm not really sure what your problem is?

This is why there are uncounted number of compromised WordPress installations. Plugin developers that don't follow best practices and servers that aren't properly hardened don't prevent against these attacks...many of them just isolate the hacked sites so that it doesn't spread to other applications.

I don't know how I can be more clear as to what the problem is.
- I've hardened my FAMP stack and one or more of those customizations triggers CSRF in CI 3.1.2.
- Logs are enabled in the CI app but they aren't giving me anything.
- I need to debug to get down to what exactly is causing the issue.
- What I need is ideas for common Apache and PHP configuration parameters that are know to cause problems with CSRF and or ideas about how to get more information from CSRF than HTTP 403