Cross-Site Request Forgery (CSRF)


It is possible to trick a user into executing potentially dangerous actions against the target site due to a lack of Cross- Site-Request-Forgery (CSRF) protections. CSRF attacks are a class of confused deputy attacks that exploit the behaviour of browsers always sending authorization cookies in requests. The target site has no secure way of verifying the request was initiated from a link on a trusted domain.


Protect all forms by generating a random unique nonce value each time the page is requested. This nonce value should be included in the form as a parameter, usually as a hidden input field. These nonce values should be linked to the user’s session ID and validated on submission by comparing the generated nonce value for the form with the one that was submitted by the user. When possible, use built-in CSRF protections offered by various vetted libraries or frameworks instead of developing a custom implementation.

If your deployment is to a stateless environment then you will need to ensure that the state on the server is stored in a central reusable location.

Useful links:

Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core