include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,csharp]
----
public void ConfigureServices(IServiceCollection services)
{
    // ...
    services.AddControllersWithViews(options => options.Filters.Add(new IgnoreAntiforgeryTokenAttribute())); // Sensitive
    // ...
}
----

[source,csharp]
----
[HttpPost, IgnoreAntiforgeryToken] // Sensitive
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");
----

== Compliant Solution

[source,csharp]
----
public void ConfigureServices(IServiceCollection services)
{
    // ...
    services.AddControllersWithViews(options => options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
    // or 
    services.AddControllersWithViews(options => options.Filters.Add(new ValidateAntiForgeryTokenAttribute()));
    // ...
}
----

[source,csharp]
----
[HttpPost]
[AutoValidateAntiforgeryToken]
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 29 Jan 2021, 11:07:02 Costin Zaharia wrote:
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0[Configuring Cross-site request forgery protection in ASP.NET Code MVC]

=== on 12 Apr 2021, 13:13:42 Costin Zaharia wrote:
Nice catch! Searching for *asp-antiforgery* inside *.cshtml file would be great.

=== on 12 Apr 2021, 13:31:00 Andrei Epure wrote:
And also :

* opted-out of Tag Helpers
* removing the ``++FormTagHelper++`` from the view

 https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0[Configuring Cross-site request forgery protection in ASP.NET Code MVC]

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]