diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2dad2515989d9b64f9f0a80c6becd3d313c776f5..e7225378e2908aa2d7b598966c5e77525b70766d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,6 +6,7 @@ variables:
   LEGACY_AUTH_SERVICE_URL: https://download.data.grandlyon.com/auth
   ADMIN_USERNAME: data-beta-grandlyon-com
   USER_SUPPORT_MAILBOX: alpha-test@erasme.org
+  ACCESS_TOKEN_COOKIE_KEY: access_token
 
 build_development:
   stage: build
diff --git a/docker-compose.yml b/docker-compose.yml
index d5f18171e2e8a43dbee9593ff322347606d872cf..516ae78387a122b0707db8de644b69de32dc4036 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,10 +14,11 @@ services:
       - USER_SUPPORT_MAILBOX=${USER_SUPPORT_MAILBOX}
       - FRONT_END_URL=${FRONT_END_URL}
       - API_KEY=${API_KEY}
+      - ACCESS_TOKEN_COOKIE_KEY=${ACCESS_TOKEN_COOKIE_KEY}
     restart: unless-stopped
     depends_on:
       - redis
-        
+  
   redis:
     container_name: middleware-legacy-aut-redis-${TAG}
     image: redis:5.0.0-alpine
diff --git a/package-lock.json b/package-lock.json
index 20f830589443d37b8ecda461091636241c0a7745..f28c6aa0737c98bb687c92210510f1cbf4ca0fbd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "middleware-legacy-auth",
-  "version": "0.0.0",
+  "version": "1.0.0",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -2064,6 +2064,15 @@
       "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz",
       "integrity": "sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s="
     },
+    "cookie-parser": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.4.tgz",
+      "integrity": "sha512-lo13tqF3JEtFO7FyA49CqbhaFkskRJ0u/UAiINgrIXeRCY41c88/zxtrECl8AKH3B0hj9q10+h3Kt8I7KlW4tw==",
+      "requires": {
+        "cookie": "0.3.1",
+        "cookie-signature": "1.0.6"
+      }
+    },
     "cookie-signature": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
diff --git a/package.json b/package.json
index 3e6fd24cc6092944270f69f8e08c189ed6ef0140..f986fbdfae748b48cfee2fabaa70655761a4c495 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "middleware-legacy-auth",
-  "version": "1.0.0",
+  "version": "2.0.0",
   "description": "description",
   "author": "",
   "license": "MIT",
@@ -26,6 +26,7 @@
     "bluebird": "^3.5.3",
     "class-transformer": "^0.2.0",
     "class-validator": "^0.9.1",
+    "cookie-parser": "^1.4.4",
     "dotenv": "^6.1.0",
     "jsonwebtoken": "^8.4.0",
     "moment": "^2.24.0",
diff --git a/src/app.module.ts b/src/app.module.ts
index 9cd9d0bd911c6345fc17feb81def946021b94097..1c2198fe2ad7f3d25c3b017643fc1f660d208b2c 100644
--- a/src/app.module.ts
+++ b/src/app.module.ts
@@ -1,7 +1,7 @@
 import { Module, MiddlewareConsumer, RequestMethod } from '@nestjs/common';
 import { LegacyModule } from './legacy/legacy.module';
 import { ConfigModule } from './configuration/config.module';
-import { DecodeJWTPayloadMiddleware } from './middlewares/decode-jwt-payload.middleware';
+import { VerifyXsrfTokenAndDecodeJWTPayloadMiddleware } from './middlewares/decode-jwt-payload.middleware';
 
 @Module({
   imports: [ConfigModule, LegacyModule],
@@ -10,7 +10,7 @@ export class AppModule {
   configure(consumer: MiddlewareConsumer) {
     // Applying the middleware that takes the Authorization header jwt payload and put it in the request headers
     consumer
-      .apply(DecodeJWTPayloadMiddleware).forRoutes(
+      .apply(VerifyXsrfTokenAndDecodeJWTPayloadMiddleware).forRoutes(
         { path: 'user', method: RequestMethod.GET },
         { path: 'user', method: RequestMethod.DELETE },
         { path: 'user/resources', method: RequestMethod.GET },
diff --git a/src/configuration/config.service.ts b/src/configuration/config.service.ts
index 7fc9a826b9016b05746da771a011029dc6cb6897..a0a45717da7d8369b6bfecf6eee3db94dcbfd862 100644
--- a/src/configuration/config.service.ts
+++ b/src/configuration/config.service.ts
@@ -25,6 +25,7 @@ export class ConfigService {
     this._config.userSupportMailbox = process.env.USER_SUPPORT_MAILBOX;
     this._config.frontEnd.url = process.env.FRONT_END_URL;
     this._config.apiKey = process.env.API_KEY;
+    this._config.accessTokenCookieKey = process.env.ACCESS_TOKEN_COOKIE_KEY;
 
     this.initilizePublicPrivateKeys();
   }
diff --git a/src/configuration/config.ts b/src/configuration/config.ts
index 9dbef1dcd287820576fe27e4fd1a42ba869aede1..513e46ad51beba90b1bb07511b701a428f960994 100644
--- a/src/configuration/config.ts
+++ b/src/configuration/config.ts
@@ -19,4 +19,5 @@ export const Config = {
   },
   imageHost: 'https://highway-to-data.alpha.grandlyon.com/email-template-assets',
   apiKey: '',
+  accessTokenCookieKey: '',
 };
\ No newline at end of file
diff --git a/src/legacy/legacy.controller.ts b/src/legacy/legacy.controller.ts
index 9a5ec8c418c5c4913a7bfd39d02fc2de86ea55ff..cdd7cb9aa2f613cd1d033f3619509bd520efb47f 100644
--- a/src/legacy/legacy.controller.ts
+++ b/src/legacy/legacy.controller.ts
@@ -17,7 +17,11 @@ export class LegacyController {
 
   @Get('user')
   @ApiOperation({ title: 'Get user info.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiResponse({ status: 200, description: 'User is existing, returning its info', type: UserInfo })
   @ApiResponse({ status: 400, description: 'Bad Request' })
   @ApiResponse({ status: 500, description: 'Internal error' })
@@ -100,7 +104,11 @@ export class LegacyController {
 
   @Delete('user')
   @ApiOperation({ title: 'Delete user account.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiResponse({ status: 204, description: 'Account deleted' })
   @ApiResponse({ status: 400, description: 'Bad Request (Invalid user credentials.)' })
   @ApiResponse({ status: 500, description: 'Internal error' })
@@ -123,7 +131,11 @@ export class LegacyController {
 
   @Put('user/updatePassword')
   @ApiOperation({ title: 'Check if the user exist, if the old password is correct and then update with the new password.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiResponse({ status: 200, description: 'Success' })
   @ApiResponse({ status: 400, description: 'Bad Request (user not found, password incorrect)' })
   @ApiResponse({ status: 500, description: 'Internal error' })
@@ -145,7 +157,11 @@ export class LegacyController {
 
   @Put('user/update')
   @ApiOperation({ title: 'Check if the user exist, update with the new info.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiResponse({ status: 200, description: 'Success', type: UserInfo })
   @ApiResponse({ status: 400, description: 'Bad Request (user not found, password incorrect)' })
   @ApiResponse({ status: 500, description: 'Internal error' })
@@ -214,7 +230,11 @@ export class LegacyController {
 
   @Get('user/resources')
   @ApiOperation({ title: 'Get the list of accessible resources by the specified user.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiResponse({ status: 200, description: 'Success, returns accessible resources', type: [Resource] })
   @ApiResponse({ status: 401, description: 'Authorization is not set, not a valid token, or user credentials are not correct'})
   @ApiResponse({ status: 500, description: 'Internal error' })
@@ -237,7 +257,11 @@ export class LegacyController {
 
   @Post('user/resources/add')
   @ApiOperation({ title: 'Request access to a restricted access dataset for an existing user.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiImplicitBody({ name: 'body', type: AccessRequest, isArray: true })
   @ApiResponse({ status: 201, description: 'Request created', type: AccessRequestResponse })
   @ApiResponse({ status: 400, description: 'Bad Request (Mode does not exist)' })
@@ -261,7 +285,11 @@ export class LegacyController {
 
   @Post('user/resources/renew')
   @ApiOperation({ title: 'Renew access to a restricted access dataset for an existing user.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiImplicitBody({ name: 'body', type: AccessRequest })
   @ApiResponse({ status: 201, description: 'Request created', type: AccessRenewalResponse })
   @ApiResponse({ status: 400, description: 'Bad Request (Mode does not exist)' })
@@ -285,7 +313,11 @@ export class LegacyController {
 
   @Delete('user/resources/delete')
   @ApiOperation({ title: 'Delete access to a service.' })
-  @ApiImplicitHeader({ name: 'Authorization', description: 'Bearer token'})
+  @ApiImplicitHeader({
+    name: 'Cookie',
+    description: 'The JWT token is sent by the browser as a cookie (refer to the config of the Authentication project to know which key is used)',
+  })
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
   @ApiImplicitBody({ name: 'body', type: AccessRequest, isArray: true })
   @ApiResponse({ status: 200, description: 'Access removed', type: AccessDeletionResponse })
   @ApiResponse({ status: 500, description: 'Internal error' })
diff --git a/src/main.ts b/src/main.ts
index d237ae314cd5028d62a271b7eafb414702a83bbb..8439bddee86a1039b345badbb1f9d579cb12d969 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -2,10 +2,12 @@ import { NestFactory } from '@nestjs/core';
 import { AppModule } from './app.module';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 import { ValidationPipe } from '@nestjs/common';
+import * as cookieParser from 'cookie-parser';
 
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
   app.enableCors({ credentials: true, origin: true });
+  app.use(cookieParser());
 
   const options = new DocumentBuilder()
     .setBasePath('')
diff --git a/src/middlewares/decode-jwt-payload.middleware.ts b/src/middlewares/decode-jwt-payload.middleware.ts
index 80ada259fc5e29a1d017850741056f45ebf417ff..8b7e055396bbaef091128f04e6b06a2c7886adf4 100644
--- a/src/middlewares/decode-jwt-payload.middleware.ts
+++ b/src/middlewares/decode-jwt-payload.middleware.ts
@@ -1,23 +1,38 @@
 import { UnauthorizedException, Logger, NestMiddleware, MiddlewareFunction, Injectable } from '@nestjs/common';
 import * as jwt from 'jsonwebtoken';
+import { ConfigService } from '../configuration/config.service';
 
 @Injectable()
-export class DecodeJWTPayloadMiddleware implements NestMiddleware {
+export class VerifyXsrfTokenAndDecodeJWTPayloadMiddleware implements NestMiddleware {
+
+  constructor(
+    private _configService: ConfigService,
+  ) {}
+
   resolve(): MiddlewareFunction {
     return (req, res, next) => {
-      Logger.log('[-] DecodeJWTPayloadMiddleware');
-      if (req.headers['x-anonymous-consumer'] !== 'true' && req.headers.authorization) {
-        const arr = req.headers.authorization.split(' ');
-        const token = jwt.decode(arr[1]);
+      Logger.log('[-] VerifyXsrfTokenAndDecodeJWTPayloadMiddleware');
+      // Verifying that all the authentications part are set
+      // tslint:disable-next-line:max-line-length
+      if (req.headers['x-anonymous-consumer'] !== 'true' && req.cookies[this._configService.config.accessTokenCookieKey] && req.headers['x-xsrf-token']) {
+        let token = req.cookies[this._configService.config.accessTokenCookieKey];
+        const xsrfToken = req.headers['x-xsrf-token'];
+        token = jwt.decode(token);
+        // Make sure the token has correctly been decrypted
         if (token) {
-          req.headers.token = token;
-          next();
+          // Verify the wsrfToken from the header with the value of the corresponding in the JWT payload
+          if (token.xsrfToken === xsrfToken) {
+            req.headers.token = token;
+            next();
+          } else {
+            throw new UnauthorizedException('Could\'t verify xsrf token.');
+          }
         } else {
           throw new UnauthorizedException('Invalid token provided.');
         }
       } else {
-        throw new UnauthorizedException('No authorization header provided.');
+        throw new UnauthorizedException('Missing credential information.');
       }
     };
   }
-}
\ No newline at end of file
+}