---
title: Apply CSRF Protection
impact: HIGH
impactDescription: prevents cross-site request forgery attacks
tags: csrf, tokens, forms, security, csharp
---

## Apply CSRF Protection

CSRF attacks trick users into submitting malicious requests. ASP.NET Core provides built-in protection.

**Incorrect (disabled or missing validation):**

```csharp
[HttpPost]
// Missing [ValidateAntiForgeryToken]
public IActionResult Transfer(int amount)
{
    // ...
}
```

**Correct (enabled protection):**

```csharp
[HttpPost]
[ValidateAntiForgeryToken] // Enforce token validation
public IActionResult Transfer(int amount)
{
    // ...
}

// In Razor Pages, this is automatic for <form> tags.
// For AJAX, send the token in a header:
/*
    headers: {
        "RequestVerificationToken": $('input[name="__RequestVerificationToken"]').val()
    }
*/
```

**Tools:** Roslyn Analyzers (CA5391), SonarQube
