aspnetcore-405600-security-considerations-prevent-csrf.md
A Cross-Site Request Forgery (CSRF/XSRF) attack causes an authenticated browser to send unintended requests to your application endpoints. A threat actor can leverage an authenticated browser to execute these forged requests with full privileges.
ASP.NET Core includes built in protection against CSRF attacks. It generates two correlated tokens: one token is stored in a cookie, and another token is submitted in each request. When a request arrives, the framework compares these tokens. If they match, the request is processed. Otherwise the request is rejected with an HTTP 400 Bad Request status code.
CSRF protection is activated at the control level.
To activate CSRF protection for the Spreadsheet and Rich Text Editor controls, apply the following changes to your code:
On a Razor page or view, inject the anti‑forgery service.
Add a JavaScript function that generates and persists the cookie token and returns the associated request token.
Pass the function name to the control’s OnBeforeSend method to include the token into all internal HTTP requests:
Enable automatic validation of anti-forgery tokens.