Use AutoValidateAntiforgeryToken in Templates
ardalis opened this issue · comments
Instead of explicitly using ValidateAntiForgeryToken
on every HttpPost
method in controllers that accept posts, instead use AutoValidateAntiforgeryToken
attribute at controller level (e.g. https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/ManageController.cs) or consider adding it globally in Configure
when MVC is configured.
Currently [ValidateAntiForgeryToken] appears about 18 times between AccountController and ManageController. This could be reduced down to 2 controller-level attributes or 1 global filter. Personally I would recommend the controller-level attribute, as it keeps the behavior visible to developers working in these controllers, while still demonstrate the better practice of applying the policy broadly, rather than on a one-off basis (which easily be forgotten when the next POST action is added).
This issue was moved to aspnet/Templating#94