开发者

Should the AntiForgeryToken be applied to every post action?

开发者 https://www.devze.com 2022-12-19 14:53 出处:网络
Should the AntiForgeryToken be applied to every post action in an ASP.NET MVC application?Off the top of my head I can\'t think of any reason why you would not want to include this on every post actio

Should the AntiForgeryToken be applied to every post action in an ASP.NET MVC application? Off the top of my head I can't think of any reason why you would not want to include this on every post action, but it seems that nobody ever actually recommen开发者_高级运维ds using it on all of your actions.

I'd love to hear your thoughts.


I always use it on POST/DELETE/PUT actions. I want to be as sure as I can that the request is coming from a page that my server sent to the browser when I'm changing data as a result.


Not adding an anti-forgery token to a form would require being completely sure there is no possibility of a cross site forgery (or other) attack. And that such attach will not be found in the future for that case.

On the other hand is there ever a significant disadvantage to having a token?

It seems to be that not doing it always will be more (mental) effort in finding those "no risk" cases.

0

精彩评论

暂无评论...
验证码 换一张
取 消