Instead of explicitly using ValidateAntiForgeryToken on every HttpPost method in controllers that accept posts, instead use AutoValidateAntiforgeryToken attribute at controller level (e.g. https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/ManageController.cs) or consider adding it globally in Configure when MVC is configured.

Currently [ValidateAntiForgeryToken] appears about 18 times between AccountController and ManageController. This could be reduced down to 2 controller-level attributes or 1 global filter. Personally I would recommend the controller-level attribute, as it keeps the behavior visible to developers working in these controllers, while still demonstrate the better practice of applying the policy broadly, rather than on a one-off basis (which easily be forgotten when the next POST action is added).

This issue was moved to aspnet/Templating#94