interview

home / developersection / interviews / how to call @html.antiforgerytoken in asp.net web api

Ask Question

How to call @html.AntiForgeryToken in ASP.NET Web API

ICSM Computer 185 10-Jun-2025
c# api(s) 
Updated on 10-Jun-2025
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

10-Jun-2025

In ASP.NET Web API (not MVC), @Html.AntiForgeryToken() does not apply directly because Web API does not use Razor views or MVC forms by default.

However, you can integrate anti-forgery protection into Web API by manually validating anti-forgery tokens for APIs that are accessed via AJAX (e.g., from MVC views or SPAs).

Goal: Use Anti-Forgery Token in Web API

Step 1: Generate the Token in MVC View

If your front-end uses Razor (MVC view), generate the anti-forgery token using:

@Html.AntiForgeryToken()

This emits two things:

  1. A hidden form field: __RequestVerificationToken
  2. A cookie: __RequestVerificationToken

Step 2: Send Token with AJAX Request

In JavaScript, extract the token from the cookie or form and send it as a header:

// Get the anti-forgery token from the form or cookie
var token = $('input[name="__RequestVerificationToken"]').val();

$.ajax({
    url: '/api/account/secure',
    type: 'POST',
    headers: {
        'RequestVerificationToken': token
    },
    data: { /* your payload */ },
    success: function (response) {
        // handle success
    }
});

Step 3: Validate the Token in Web API

Create a custom filter attribute to validate the anti-forgery token:

using System.Web;
using System.Web.Http.Controllers;
using System.Web.Http.Filters;
using System.Web.Helpers;

public class ValidateAntiForgeryTokenAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        var headers = actionContext.Request.Headers;

        if (headers.Contains("RequestVerificationToken"))
        {
            try
            {
                var cookieToken = "";
                var formToken = headers.GetValues("RequestVerificationToken").FirstOrDefault();

                if (HttpContext.Current.Request.Cookies["__RequestVerificationToken"] != null)
                {
                    cookieToken = HttpContext.Current.Request.Cookies["__RequestVerificationToken"].Value;
                }

                AntiForgery.Validate(cookieToken, formToken);
            }
            catch (HttpAntiForgeryException ex)
            {
                throw new HttpResponseException(System.Net.HttpStatusCode.Forbidden);
            }
        }
        else
        {
            throw new HttpResponseException(System.Net.HttpStatusCode.Forbidden);
        }
    }
}

Step 4: Apply the Attribute to API Methods

[ValidateAntiForgeryToken]
public class AccountController : ApiController
{
    [HttpPost]
    public IHttpActionResult Secure(SomeModel model)
    {
        // Only reached if anti-forgery token is valid
        return Ok("Request valid");
    }
}

Summary

Component Purpose
@Html.AntiForgeryToken() Renders hidden input and cookie
Custom filter Validates token on Web API
JavaScript header Sends token with AJAX
AntiForgery.Validate(cookie, token) Validates tokens on server
MindStick Training
MindStick Training

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy