ContextQMD
Back to Devexpress

Prevent Cross-Site Request Forgery Attacks (CSRF)

aspnet-404869-security-considerations-prevent-csrf.md

latest2.8 KB
Original Source

Prevent Cross-Site Request Forgery Attacks (CSRF)

  • Dec 09, 2025
  • 3 minutes to read

In Cross-Site Request Forgery (CSRF) attacks, a threat actor tricks an authenticated user into executing unauthorized commands.

Use anti-forgery tokens to protect your application from CSRF attacks. These tokens work as follows:

  1. Once the client requests an HTML page with a form, the server generates two random tokens.
  2. The server adds these tokens in the response. It sends one token as an HttpOnly cookie and places another token in a hidden form field.
  3. Each time a user submits the form, the client sends tokens back to the server.
  4. If the server receives a request that does not include both tokens or if a token was modified, the server rejects the request.

To use anti-forgery tokens in your application callbacks:

  1. Make certain that the application references the System.Web.WebPages.dll assembly.

  2. Create a master page that generates an AntiForgery token:

  3. During master page initialization, add a handler for the Page.PreLoad event:

  4. In the event handler, call the Validate method to check whether the token is valid:

Validate Anti‑Forgery Tokens for Individual Controls

The following DevExpress ASP.NET Web Forms components implement custom request processing:

Internal requests from these controls are processed by the DevExpress HTTP module instead of the standard page handler. As a result, an AntiForgery.Validate() call from Page_PreLoad is not executed for these requests. You must apply the additional steps below.

Note

The following steps supplement, but do not replace, anti forgery token validation for callbacks described above. Implement both mechanisms for CSRF protection.

  1. Make certain that the master page generates an anti-forgery token:

  2. Add a client function that injects the token into the RequestVerificationToken HTTP request header.

  3. Pass the function name to the control’s BeforeSend property to add the token to all internal HTTP requests.

  4. Implement IHttpModuleSubscriber to validate the RequestVerificationToken HTTP request header against the anti forgery cookie token. Reject all unsafe requests that fail validation.

  5. Register the AntiforgeryOfficeHttpModuleSubscriber at application startup so the DevExpress module can invoke it for matching requests.