Responsible use of the ASP.NET MVC AntiForgeryToken
The use of anti-forgery tokens is a necessary safeguard against cross-site request forgery attacks. The ASP.NET MVC framework provides easy-to-use security mechanisms right out of the box, but unfortunately these are opt-in rather than opt-out and are easy to miss/forget. For a non-trivial website it is difficult to guarantee tokens are supplied and checked in all form submissions and AJAX posts. This is how I do it. Note: Web security is a tricky business and I do not consider myself a security expert. Use the information in this post at your own risk. 1. Use the ValidateJsonAntiForgeryToken attribute for AJAX calls There's a nice post by Johan Driessen on anti-XSRF validation with newer versions of the .NET framework. I use Johan's ValidateJsonAntiForgeryToken attribute to great effect. In summary, Johan's attribute should be applied to actions invoked via AJAX calls. Check out his blog post - it explains everything in detail. 2. Ensure all AJAX posts conta...