forum

home / developersection / forums / what is csrf and how do you prevent it in asp.net?

Ask Question

What is CSRF and how do you prevent it in ASP.NET?

ICSM 300 16-Jun-2025

What is CSRF and how do you prevent it in ASP.NET?

c# c# 
Updated on 17-Jun-2025
ICSM

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Message
Can you answer this question?
Answer

1 Answers

ICSM

ICSM

17-Jun-2025

CSRF (Cross-Site Request Forgery) is a type of attack where a malicious website tricks a user's browser into making an unwanted request to a different site where the user is authenticated (like submitting a form or triggering an action without consent).

Example of a CSRF Attack

Imagine a user is logged in to bank.com, and visits a malicious site that silently submits:

<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="amount" value="10000" />
  <input type="hidden" name="to" value="attacker-account" />
</form>
<script>document.forms[0].submit();</script>

If the site doesn't verify the request origin, the bank may wrongly honor the request.

How to Prevent CSRF in ASP.NET (MVC or Core)

1. Use Anti-Forgery Tokens

ASP.NET MVC and Core provide built-in anti-forgery token mechanisms.

In Razor Views:

<form asp-action="TransferMoney" method="post">
    @Html.AntiForgeryToken()
    <!-- form fields -->
</form>

In Controller:

[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult TransferMoney(MyModel model)
{
    // Safe from CSRF
}

The @Html.AntiForgeryToken() generates a hidden field with a token, and the [ValidateAntiForgeryToken] attribute validates it.

2. For Web APIs

For APIs (which don’t use cookies by default), CSRF is less common unless using cookie-based auth. If so:

Require clients to send an anti-CSRF token via a custom header (e.g. X-CSRF-TOKEN)

Validate it manually or using middleware

3. Use SameSite Cookie Attribute

In .NET Core, set your auth cookie to:

options.Cookie.SameSite = SameSiteMode.Strict;

This prevents browsers from sending cookies on cross-site requests.

4. Disable Cross-Origin for Unsafe Methods

  • Only allow safe GET requests from cross-origin sources.
  • Block POST, PUT, DELETE, etc. using CORS unless you explicitly trust the source.

Summary

Technique Applies To Purpose
@Html.AntiForgeryToken() MVC Views Embed anti-CSRF token in form
[ValidateAntiForgeryToken] Controller Action Validate token presence/validity
SameSite=Strict Cookies Prevent cross-origin cookie send
CORS Restrictions Web APIs Block untrusted origins
Custom Header Tokens Web APIs Manually validate via header
MindStick Training
MindStick Training

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy