I'm reading POST is considered secure and GET no, and that we should implement [ValidateAntiForgeryToken] in every action of every controller.
The question is: need I use the [ValidateAntiForgeryToken] data annotation when I use [POST]?
Asked
Active
Viewed 288 times
1
-
1No, it doesn't auto-implemented, you need to put an attribute on your ActionResult. check this answer for more detail https://stackoverflow.com/a/13622061/713789 – Anirudha Gupta Jul 25 '17 at 14:05
-
Not yet in official stable branch but propably it will be from 2.0 https://github.com/aspnet/Docs/issues/3688 – J. Doe Jul 25 '17 at 14:25
1 Answers
3
It's off by default.
There's good reason for this. Not every POST has to come from a form (especially true since your question is tagged asp.net-core)
You should decorate your controller action with the [ValidateAntiForgeryToken]
[ValidateAntiForgeryToken]
public IActionResult Post(Model model)
{
// ... etc
}
If you're using the form tag helper, it will automatically add the anti forgery token for you, into the <form> markup.
The markup generated will look something like:
<form action="/MyController" method="post">
<input name="__RequestVerificationToken" type="hidden" value="fhTFfhkKNsdfhYazFtN6c4YbZAmsEwG0srqlUqqloi/OIJOIJoijojhishg" />
<!-- rest of form here -->
</form>
Note: You can also manually enable/disable __RequestVerificationToken generation using the form helper tags:
<form
asp-controller="MyController"
asp-action="MyAction"
asp-antiforgery="false"
method="post">
Alex
- 37,502
- 51
- 204
- 332
-
-
@JohnDoe good for you. Why have you tagged your question with `asp.net-core-mvc`?! – Alex Jul 25 '17 at 14:52
-