Eilon
commented
6 years ago This issue was moved to aspnet/templating#94
Closed ardalis closed 6 years ago
Eilon
commented
6 years ago This issue was moved to aspnet/templating#94
Instead of explicitly using
ValidateAntiForgeryTokenon everyHttpPostmethod in controllers that accept posts, instead useAutoValidateAntiforgeryTokenattribute at controller level (e.g. https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/ManageController.cs) or consider adding it globally inConfigurewhen MVC is configured.Currently [ValidateAntiForgeryToken] appears about 18 times between AccountController and ManageController. This could be reduced down to 2 controller-level attributes or 1 global filter. Personally I would recommend the controller-level attribute, as it keeps the behavior visible to developers working in these controllers, while still demonstrate the better practice of applying the policy broadly, rather than on a one-off basis (which easily be forgotten when the next POST action is added).