All geek questions in one place

Should I use ValidateAntiForgeryToken in every POST request?

I have an HttpPost request HttpPost , and I have a document from my colleague who is browsing my site using Acunetix (I think). The result says HTML form without CSRF protection (9) . It is supposed to use the Same-origin policy by implementing Token. My question is:

  • In terms of performance and security, is it worth using Token in every POST request? I use only Token in sensitive POST request such as LogIn, Register, Transaction, etc.
  • This probably doesn't apply to the title, but why does pentest software like Acunetix list only a few of my pages as CSRF possible risk when I have many pages with POST request, how does pattern detection work?

Any help would be appreciated.

+6
source share
1 answer

Yes, you should include the ValidateAntiForgeryToken attribute in every HttpPost ... provided that you use best practices, and HttpPost means that the request has some kind of side effect.

For a long discussion on this issue, see this discussion on SE’s IT Security website.

It seems that Acunetix simply reports this on every page containing a form without a token present. See Their documentation .

+1
source

Source: https://habr.com/ru/post/989781/

More articles:


All Articles