sagesky36
sagesky36

Reputation: 4692

Preventing Cross-Site Request Forgery (CSRF) Attacks

I've read the below link and fully understand except for one part. I asked a question in the comment on the link, but nobody responded.

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

Where do we call the "ValidateRequestHeader"?

Can someone please be able to answer this?

Upvotes: 1

Views: 2478

Answers (1)

Evan Larsen
Evan Larsen

Reputation: 9965

Depends if you are using MVC or WebApi to validate the request.

For Web Api I would put it in a Message Handler.

And for MVC I would put it in an Action Filter.

That way the request is validated before it reaches your controller's action method and since that is a cross cutting concern it can be easily applied to any controller or action just by decorating it with an attribute.

MVC already has a [ValidateAntiForgeryToken] attribute built. I think for webapi you need to handroll your own.

Upvotes: 2

Related Questions