Should I use ValidateAntiForgeryToken in every POST request? [closed]

Question

I have bunch of page with HttpPost request and I got a document from my coworker who scan my site with Acunetix (I think). The result says HTML form without CSRF protection (9). The suggestion is to use Same-origin policy by implementing Token. My question :

1. From performance vs security standpoint, is it worth it if I use Token in every POST request? I only use Token in sensitive POST request like LogIn, Register, Transaction, etc.
2. This is probably not relevant with the title, but why did pentest software like Acunetix only list few of my pages as CSRF possible risk when I have a lot of pages with POST request, how does the detection pattern works?

Any help will be appreciated.

Answer 1

Yes, you should include the ValidateAntiForgeryToken attribute in every HttpPost... assuming you are using best practices and HttpPost means that the request has some kind of side effect.

For a long discussion on the matter, see This discussion over on IT security SE site.

It looks like Acunetix is just reporting this on each page that contains a form with no token present. See Their documentation.