Include Html.AntiForgeryToken() For All ASP.NET MVC Forms for Security

After implmenting new form pages in ASP.NET MVC, there are two things that are added to every form:

After Html.BeginForm() put @HTML.AntiForgeryToken()

Add the Attribute[ValidateAntiForgeryToekn] to every post action method.

 

What this does is to make sure that the trusted browser that go to the original GET page is the same as the one delivering the POST message. However, this assumes that the end user is running a trusted browser.

The idea is that a user who is using the browser will know that they are on a trusted site and will not be posting bad code back to the server.

 

Read the rest of the post here: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Leave a Reply

Your email address will not be published. Required fields are marked *