Menu
Security at first.
MVC best practices reccomend to add the [ValidateAntiForgeryToken] attribute to each [HttpPost] action.
How can I enforce this rule in one unique point of the application?
618
The basic purpose of ValidateAntiForgeryToken attribute is to prevent cross-site request forgery attacks. A cross-site request forgery is an attack in which a harmful script element, malicious command, or code is sent from the browser of a trusted user.
June 09, 2020. AntiForgeryToken is a security token generated by the . Net Core web application, which is used to validate a post request to guard against Cross-Site Request.
AntiForgeryToken(String) To specify custom data to be embedded within the token, use the static AntiForgeryConfig. AdditionalDataProvider property. Generates a hidden form field (anti-forgery token) that is validated when the form is submitted. The field value is generated using the specified salt value.
The follwing class allow to do this with a FilterProvider
public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
{
List<Filter> result = new List<Filter>();
string incomingVerb = controllerContext.HttpContext.Request.HttpMethod;
if (String.Equals(incomingVerb, "POST", StringComparison.OrdinalIgnoreCase))
{
result.Add(new Filter(new ValidateAntiForgeryTokenAttribute(), FilterScope.Global, null));
}
return result;
}
To use the above class add this to the RegisterGlobalFilters method in global.asx file:
...
FilterProviders.Providers.Add(new AntiForgeryTokenFilterProvider ());
..
Doing this, each [HttpPost] will check if the Html.AntiForgeryToken() is in the view.
89
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With