Morioh
Login
Milan Reilly

Milan Reilly

2 years ago

When using Anti Cross Site Scripting Forgery (XSRF) protection in your application, which is on by default, you may be surprised when you try to AJAX submit to a controller and you get a HTTP 400 Bad Request: this may be happening because the framework is blocking your request due to XSRF.

Imagine this scenario: you have a global AutoValidateAntiforgeryTokenAttribute or ValidateAntiForgeryTokenAttribute filter applied to your site, controller, or action method:

services.AddMvc(options =>
{
    options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});

In this case, the framework is expecting a header field with a name of “RequestVerificationToken” (this is the default, but can be configured) with a valid token value. If does not receive it, or receives an invalid value, then it returns HTTP 400.

#pitfalls #ajax #security #xsrf #aspdotnet core

ASP.NET Core Pitfalls – AJAX Requests and XSRF

weblogs.asp.net

ASP.NET Core Pitfalls – AJAX Requests and XSRF

ASP.NET Core Pitfalls – AJAX Requests and XSRF. When using Anti Cross Site Scripting Forgery (XSRF) protection in your application, which is on by default, you may be surprised when you try to AJAX submit to a controller and you get a HTTP 400 Bad Request.

1.20 GEEK