.NET Tips and Tricks

Blog archive

How to Efficiently Validate Against Cross-Site Request Forgery Attacks in ASP.NET Core

If you're worried about CSRF (Cross-Site Request Forgery) attacks (and you probably should be), then you've already added the code to your Views that adds an anti-forgery token to the data that the browser sends back to the server. If you're using HTML Helpers, that code looks like this:

@Html.AntiForgeryToken()

If you're working in ASP.NET Core and have enabled Tag Helpers, then you don't even need to use that code -- the <form> element has a tag helper associated with it that adds the field automatically.

The issue is that, in your HttpPost methods, you need to check that you get that token back. That is easy to do in both ASP.NET MVC and ASP.NET Core: You just add the ValidateAntiForgeryToken attribute to your methods. There was always, of course, the danger that you'd miss adding it to one of your HttpPost methods, which would be ... unfortunate. It would be easier just to add the attribute to your controller class. The problem with that solution is that you'd be incurring the cost of checking for the token with every request, not just with the HttpPost methods.

If this worries you (and you're using ASP.NET Core), then you can add the AutoAntiForgeryToken to your controller classes, like this:

[AutoAntiForgeryToken]
public class TodoListController: Controller
{

This attribute checks only the dangerous methods (that is, only methods that aren't a GET or one of the other methods you never use: TRACE, OPTIONS and HEAD). You'll get all the protection you need and none that you don't.

Posted by Peter Vogel on 09/17/2019 at 8:57 AM


Featured

  • Bright Tunnel

    Visual Studio 16.4 Preview 2 Boosted by Extension Tech

    Microsoft today shipped Visual Studio 2019 v16.4 Preview 2, boosted with new features that come from formerly separate extensions.

  • Nebula

    .NET Core 3.1 Preview 1 Focuses on Blazor, Desktop

    The first preview of .NET Core 3.1 focuses on two of the big features highlighting the Sept. 23 release of .NET Core 3.0: Blazor (for C# Web development instead of JavaScript) and desktop development (Windows Forms and Windows Presentation Foundation).

  • Stone Steps Graphic

    Microsoft Research's SandDance Data Visualization Tool Goes Open Source

    A data visualization tool some four years in the making from Microsoft Research has been open sourced, available for use as an extension for Visual Studio Code or Azure Data Studio.

.NET Insight

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.

Upcoming Events