I was trying to secure a post method against side scripting just now through providing an anti forgery token but noticed, in .Net Core there is another attribute named as <code>AutoAntiForgeryToken</code>. The XML comments, and the online search did not provide much info on this new attribute. Any help and description of what the new attribute is, will be much appreciated.

From <code>AutoValidateAntiforgeryTokenAttribute</code> documentation: <blockquote> An attribute that causes validation of antiforgery tokens for all unsafe HTTP methods. An antiforgery token is required for HTTP methods other than GET, HEAD, OPTIONS, and TRACE. It can be applied at as a global filter to trigger validation of antiforgery tokens by default for an application. </blockquote> <code>AutoValidateAntiforgeryTokenAttribute</code> allows to apply Anti-forgery token validation globally to all unsafe methods e.g. <code>POST, PUT, PATCH and DELETE</code>. Thus you don't need to add <code>[ValidateAntiForgeryToken]</code> attribute to each and every action that requires it. To use it add the following code to your <code>ConfigureServices</code> method of <code>Startup</code> class <pre class="prettyprint"><code>services.AddMvc(options => { options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()); }); </code></pre> If you need to ignore Anti forgery validation you can add <code>[IgnoreAntiforgeryToken]</code> attribute to the action.

AutoValidateAntiForgeryToken vs. ValidateAntiForgeryToken

Tags:

asp.net

asp.net-core

.net-core

asp.net-core-mvc

I was trying to secure a post method against side scripting just now through providing an anti forgery token but noticed, in .Net Core there is another attribute named as AutoAntiForgeryToken. The XML comments, and the online search did not provide much info on this new attribute.

Any help and description of what the new attribute is, will be much appreciated.

625

asked Oct 09 '16 19:10

Arnold Zahrneinder

1 Answers

From AutoValidateAntiforgeryTokenAttribute documentation:

An attribute that causes validation of antiforgery tokens for all unsafe HTTP methods. An antiforgery token is required for HTTP methods other than GET, HEAD, OPTIONS, and TRACE. It can be applied at as a global filter to trigger validation of antiforgery tokens by default for an application.

AutoValidateAntiforgeryTokenAttribute allows to apply Anti-forgery token validation globally to all unsafe methods e.g. POST, PUT, PATCH and DELETE. Thus you don't need to add [ValidateAntiForgeryToken] attribute to each and every action that requires it.

To use it add the following code to your ConfigureServices method of Startup class

services.AddMvc(options => {     options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()); });

If you need to ignore Anti forgery validation you can add [IgnoreAntiforgeryToken] attribute to the action.

answered Oct 18 '22 20:10

Andrei Mihalciuc

Related questions
                            
                                Upload files directly to Amazon S3 from ASP.NET application
                            
                                Is it possible to use async/await in MVC 4 AuthorizeAttribute?
                            
                                Cache-Control Headers in ASP.NET
                            
                                How do I get msdeploy to create App_Data if it doesn't exist, but not delete any contents of the remote directory?
                            
                                How to resolve "Server Error in '/' Application" error?
                            
                                Visual Studio publish in debug Vs Release mode
                            
                                What happens if an exception occurs in Catch block in C#. Also what would be the caller result in that case
                            
                                Page_Init vs OnInit
                            
                                Advanced: How many times does HttpModule Init() method get called during application's life?
                            
                                Select box binding in blazor
                            
                                Connection string hell in .NET / LINQ-SQL / ASP.NET
                            
                                How can I implement Claims-Based Authorization with ASP.NET WebAPI without using Roles?
                            
                                Mocking framework for asp.net core 5.0
                            
                                The specified CGI application encountered an error and the server terminated the process
                            
                                LinkButton in ListView in UpdatePanel causes full postback
                            
                                Mapping SignalR connections to users
                            
                                Web authentication state - Session vs Cookie?
                            
                                How to register .Net 4.5.1 with IIS8 on windows 10
                            
                                Disabling account lockout with the SqlMembershipProvider
                            
                                CORS POST Requests not working - OPTIONS (Bad Request) - The origin is not allowed

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With