Reputation: 4692
Preventing Cross-Site Request Forgery (CSRF) Attacks
I've read the below link and fully understand except for one part. I asked a question in the comment on the link, but nobody responded.
http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks
Where do we call the "ValidateRequestHeader"?
Can someone please be able to answer this?
Upvotes: 1
Views: 2478
Answers (1)
Reputation: 9965
Depends if you are using MVC or WebApi to validate the request.
For Web Api I would put it in a Message Handler.
And for MVC I would put it in an Action Filter.
That way the request is validated before it reaches your controller's action method and since that is a cross cutting concern it can be easily applied to any controller or action just by decorating it with an attribute.
MVC already has a [ValidateAntiForgeryToken] attribute built. I think for webapi you need to handroll your own.
Upvotes: 2
Related Questions
- AJAX CSRF attacks and .Net MVC
- MVC 5 - Mitigating BREACH Vulnerability
- Using anti forgery token to prevent CSRF attacks with jQuery-3.2.1 in MVC 3
- Protecting from cross-site request forgery attacks
- Prevent Cross Site Request Forgery in jQuery Ajax Call
- Preventing crf attacks on ajax requests in asp.net web forms
- How can Prevent Cross site request forgery via Ajax post?
- Any in-framework way to prevent Cross Site Request Forgery (CSRF) within ASP .NET 4.0 (not MVC)?
- How to handle CSRF attacks when using ajax post?
- CSRF Protection in AJAX Requests using MVC2