Currently [ValidateAntiForgeryToken] appears about 18 times between AccountController and ManageController. This could be reduced down to 2 controller-level attributes or 1 global filter. Personally I would recommend the controller-level attribute, as it keeps the behavior visible to developers working in these controllers, while still demonstrate the better practice of applying the policy broadly, rather than on a one-off basis (which easily be forgotten when the next POST action is added).
Instead of explicitly using
ValidateAntiForgeryToken
on everyHttpPost
method in controllers that accept posts, instead useAutoValidateAntiforgeryToken
attribute at controller level (e.g. https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/ManageController.cs) or consider adding it globally inConfigure
when MVC is configured.Currently [ValidateAntiForgeryToken] appears about 18 times between AccountController and ManageController. This could be reduced down to 2 controller-level attributes or 1 global filter. Personally I would recommend the controller-level attribute, as it keeps the behavior visible to developers working in these controllers, while still demonstrate the better practice of applying the policy broadly, rather than on a one-off basis (which easily be forgotten when the next POST action is added).