Remove From My Forums

Are Razor pages already equipped with antiforgery tokens validations?

Question
0

Sign in to vote

User-81839486 posted

With controllers I have to use AutoValidateAntiforgeryTokenAttribute in services to enable validating token globally. Are Razor pages provide default token validation and I dont have to anything?

Saturday, August 8, 2020 9:50 PM

Answers

0

Sign in to vote
User-821857111 posted

Request verification is enabled by default in Razor Pages: https://www.learnrazorpages.com/security/request-verification
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Sunday, August 9, 2020 6:46 AM

All replies

0

Sign in to vote
User-183185495 posted

Actually on futher checking it appears to be you have to explictiy turn it off but not on

https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1

<form method="post" asp-antiforgery="false"> ... </form>
Sunday, August 9, 2020 12:57 AM
0

Sign in to vote
User-821857111 posted

Request verification is enabled by default in Razor Pages: https://www.learnrazorpages.com/security/request-verification
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Sunday, August 9, 2020 6:46 AM
0

Sign in to vote
User-821857111 posted

Actually on futher checking it appears to be you have to explictiy turn it off but not on

https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1

<form method="post" asp-antiforgery="false"> ... </form>

That doesn't disable request verification. It just prevents the hidden field containing the token value from being rendered. Forms submission will result in a 400 Bad Request code. You disable it either globally in Startup, or at page level using the IgnoreAntiforgeryToken attribute: https://www.learnrazorpages.com/security/request-verification#opting-out
Sunday, August 9, 2020 6:51 AM