From the course: ASP.NET: Security

Unlock the full course today

Join today to access over 23,200 courses taught by industry experts.

Defending against CSRF

Defending against CSRF

From the course: ASP.NET: Security

Start my 1-month free trial Buy for my team

Defending against CSRF

- [Instructor] In theory preventing cross-site request forgery requires some effort. We need to make sure that the HTTP request cannot be predicted by the attacker. So basically, we need to send a token alongside the request and the server needs to check that token and validate it, and verify that it's the correct token. For instance, that it matches information in a cookie. Remember, the attacker cannot read out the cookie, but the cookie is sent automatically by the browser. That's the theory. In practice it's very very easy because ASP.net MVC has a very simple yet effective cross-site request forgery protection. We then in HTML form we need to add an additional hidden form field, which contains such a token that helps beating cross-site request forgery. There is an HTML helper for that it's called antiforgery token this HTML helper creates the hidden form field at the token and is also setting a cookie with a token value and that's the (mumbles) end so to speak of the cross-site…

Contents