I guess 7.4 doesn't have a landing page for configuring csrf
You can make use of the following DSS(RS: Pega-Engine). (Requires server restart to take effect)
security/csrf/securedActivities – comma separated list; The format for list of activities would be Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator
security/csrf/securedStreams - comma separated list; The format for the list of streams would be @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword
security/csrf/validreferers - comma separated host names. This setting specifies the valid referers the incoming requests can have. sample value: http://wrupaaw7,http://wrupaaw7:8080
security/csrf/mitigation - the switch used to toggle the "CSRF mitigation using referer validation" feature on or off. The default value is FALSE sample value: TRUE
security/csrf/secureall - Indicates that all activities and streams are secured – no exceptions.
Note: There might be changes(addition of new ones) in DSS over the versions. Please do check as per the version.