Services
Technology Web App Development Mobile App Development Windows App Development Database Development UI/UX Development Cloud Development SEO Digital Marketing Guest Posting Content Writing Artificial Intelligence Data Science ERP Development CRM Development CMS Development LMS Development Business Listing Blockchain Technology Startup Promotion
Products
Data Converter Cleaner TUC - Unit Converter Import Export Survey Manager Tweet Controller
Developer
Article Blog Forum Interview Beginner News Startup Quiz
Users
Career
Apply Job Internship
Pricing
Login Sign Up Get a Quote

forum

home / developersection / forums / what is csrf and how do you prevent it in asp.net?
Ask Question

What is CSRF and how do you prevent it in ASP.NET?

Ravi Vishwakarma 396 16 Jun 2025

What is CSRF and how do you prevent it in ASP.NET?

c# c#
Updated 17 Jun 2025
Ravi Vishwakarma
Ravi Vishwakarma

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Message

1 Answers

Ravi Vishwakarma
Ravi Vishwakarma 17 Jun 2025
Report Abuse

CSRF (Cross-Site Request Forgery) is a type of attack where a malicious website tricks a user's browser into making an unwanted request to a different site where the user is authenticated (like submitting a form or triggering an action without consent).

Example of a CSRF Attack

Imagine a user is logged in to bank.com, and visits a malicious site that silently submits:

<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="amount" value="10000" />
  <input type="hidden" name="to" value="attacker-account" />
</form>
<script>document.forms[0].submit();</script>

If the site doesn't verify the request origin, the bank may wrongly honor the request.

How to Prevent CSRF in ASP.NET (MVC or Core)

1. Use Anti-Forgery Tokens

ASP.NET MVC and Core provide built-in anti-forgery token mechanisms.

In Razor Views:

<form asp-action="TransferMoney" method="post">
    @Html.AntiForgeryToken()
    <!-- form fields -->
</form>

In Controller:

[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult TransferMoney(MyModel model)
{
    // Safe from CSRF
}

The @Html.AntiForgeryToken() generates a hidden field with a token, and the [ValidateAntiForgeryToken] attribute validates it.

2. For Web APIs

For APIs (which don’t use cookies by default), CSRF is less common unless using cookie-based auth. If so:

Require clients to send an anti-CSRF token via a custom header (e.g. X-CSRF-TOKEN)

Validate it manually or using middleware

3. Use SameSite Cookie Attribute

In .NET Core, set your auth cookie to:

options.Cookie.SameSite = SameSiteMode.Strict;

This prevents browsers from sending cookies on cross-site requests.

4. Disable Cross-Origin for Unsafe Methods

  • Only allow safe GET requests from cross-origin sources.
  • Block POST, PUT, DELETE, etc. using CORS unless you explicitly trust the source.

Summary

Technique Applies To Purpose
@Html.AntiForgeryToken() MVC Views Embed anti-CSRF token in form
[ValidateAntiForgeryToken] Controller Action Validate token presence/validity
SameSite=Strict Cookies Prevent cross-origin cookie send
CORS Restrictions Web APIs Block untrusted origins
Custom Header Tokens Web APIs Manually validate via header
MindStick Training