Whether to apply AntiForgeryToken to each post.

Question

Whether to apply AntiForgeryToken to each post.

Should AntiForgeryToken be applied to the message each in an ASP.NET MVC application? From head to toe, I cannot think of any reason why you would not want to include this in every post action, but it seems that no one ever recommends using it in all your actions.

I would like to hear your thoughts.

+4

security asp.net-mvc

Page Brooks Feb 10 '10 at 15:09

source share

2 answers

Without adding an anti-fake token to the form, you need to be sure that there is no way to fake fakes (or other) attacks. And that such an accession will not be found in the future for this case.

On the other hand, is the token ever a significant drawback?

It seems that not doing this will always be a greater (mental) effort in finding those “risk-free” cases.

0

Richard Feb 10 '10 at 15:22

source share

tvanfosson · Accepted Answer · 2010-02-10T15:14:52+0000

I always use it in POST / DELETE / PUT actions. I want to be as sure as I can that the request comes from the page that my server sent to the browser when I change the data as a result.

Whether to apply AntiForgeryToken to each post.

More articles: