Reputation: 4692
I've read the below link and fully understand except for one part. I asked a question in the comment on the link, but nobody responded.
http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks
Where do we call the "ValidateRequestHeader"?
Can someone please be able to answer this?
Upvotes: 1
Views: 2478
Reputation: 9965
Depends if you are using MVC or WebApi to validate the request.
For Web Api I would put it in a Message Handler.
And for MVC I would put it in an Action Filter.
That way the request is validated before it reaches your controller's action method and since that is a cross cutting concern it can be easily applied to any controller or action just by decorating it with an attribute.
MVC already has a [ValidateAntiForgeryToken] attribute built. I think for webapi you need to handroll your own.
Upvotes: 2