How to make the AntiforgeryToken As Secure in ASP.net MVC

Question

Recently I have a requirement that to make the Antiforgerytoken which is getting created by ASP.net MVC to make it secure

Basically Anti forgery token is a cookie in browser with name _RequestVerificationToken , want to make this as secure

I Already tried

<compilation debug="true" targetFramework="4.5.2" />
    <httpRuntime targetFramework="4.5.2" />
    <authentication mode="Windows" />
    <identity impersonate="false" />
    <pages controlRenderingCompatibilityVersion="4.0" />
<httpCookies requireSSL="true" httpOnlyCookies="true"/>

But its not making the token as secure and httpOnly

if any one can help here , please

made the whole site hosted on Https too

Answer 1

For when you are getting your chops busted by a security manager who has a vendor report saying that this cookie is not secure, try adding this to Startup.cs ConfigureServices

services.AddAntiforgery(options =>
{
    options.FormFieldName = "AntiforgeryFieldname";
    options.HeaderName = "X-CSRF-TOKEN-HEADERNAME";
    options.SuppressXFrameOptionsHeader = false;
    options.Cookie.SecurePolicy = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
});

Refs https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.1 & https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookiesecurepolicy?view=aspnetcore-3.1

Answer 2

The anti-forgery token can be used to help protect your application against cross-site request forgery. To use this feature, all you need to do is add the following HTML helper to your form so it is submitted as part of the form post.

It used to product your form not entire mvc application.

For example if you want to secure your form.

View:

@using(Html.BeginForm())
{
      @Html.AntiForgeryToken()
      @Html.TextBox("Name")
      <input type="submit" value="Submit"/>
}

Controller:

[HttpPost] 
[ValidateAntiForgeryToken()] 
public ActionResult PostMethod(FormCollection collection) 
{
   //Logic
}