I'm not exactly sure if I have to attach an xsrf middleware or not to my ASP.NET Core REST Api app. I've configured my application pipeline to make use of cors by adding the UseCors() middleware, but still don't understand if this is enough or not.
Right now I'm using both AddAntiforgery and AddCors as well as using my own middleware UseXsrf and microsoft's UseCors.
Cors and xsrf solve different problems and are not technically related, only conceptually.
They both protect against usage from an non trusted domain.
CORS will not allow a domainA to make ajax requests to api in domain
XSRF protects cookie based authentication and does not let domainA post a form in DomainB.
APIs don't usually use the second option, so you most probably don't need it at all. It is usually for MVC applications.
Cross-Origin Requests (CORS):
The CORS only applies in a browser context and is a security mechanism to allow one origin to make a request to another origin. All browsers follow the Single Origin Policy, meaning by default scripts cannot make requests to other origins - but if the server provides properly configured CORS headers this policy can be selectively relaxed.
More detail information about CORS, see Enable Cross-Origin Requests (CORS) in ASP.NET Core.
Cross-Site Request Forgery (XSRF/CSRF) attacks
The CSRF is an attack that the malicious site will use the authenticated user's information (such as authentication cookie, authentication token) to execute unwanted actions on a web application. You can check the detail information from Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.
In my opinion, if you want to make the Application more security, you could use both of them.
Reference: Does a proper CORS setup prevent XSRF?
