ContextQMD
Back to Devexpress

Prevent Cross-Site Request Forgery Attacks (CSRF)

aspnetmvc-405006-security-considerations-prevent-csrf.md

latest3.3 KB
Original Source

Prevent Cross-Site Request Forgery Attacks (CSRF)

  • Nov 11, 2025
  • 4 minutes to read

In Cross-Site Request Forgery (CSRF) attacks, a threat actor tricks an authenticated user into executing unauthorized commands.

Use anti-forgery tokens to protect your application from CSRF attacks. These tokens work as follows:

  1. Once the client requests an HTML page with a form, the server generates two random tokens.
  2. The server adds these tokens in the response. It sends one token as an HttpOnly cookie and places another token in a hidden form field.
  3. Each time a user submits the form, the client sends tokens back to the server.
  4. If the server receives a request that does not include both tokens or if one of tokens was modified, the server rejects the request.

Note

Do not use the GET method to send data modifying requests.

Use Anti-Forgery Tokens

To add anti-forgery tokens to a Razor page:

  1. In the view code, generate an AntiForgery token for a form:

  2. Make certain that AJAX requests for all controls include the token value:

  3. To validate the request token on the server, apply the ValidateAntiForgeryToken attribute to the corresponding controller action:

Use Anti‑Forgery Tokens with Individual Controls

Note

The following steps supplement, but do not replace, the anti‑forgery token validation for page-level callbacks described above. Implement both mechanisms for complete CSRF protection.

Dashboard Designer

To protect against CSRF attacks when using the Dashboard Designer:

  1. Inject an anti-forgery token into the Dashboard’s AJAX request header as follows:

  2. Define a custom attribute to validate the anti-forgery token on requests:

  3. Apply this attribute to the controller action that handles Dashboard callbacks:

Spreadsheet, Rich Text Editor, and File Management

To protect against CSRF attacks when using File Manager, File Upload, Rich Text Editor, and Spreadsheet controls:

  1. Generate an anti-forgery token on a page:

  2. Add a client function that injects the token into the RequestVerificationToken HTTP request header.

  3. Pass the function name to the control’s BeforeSend client-side event to add the token to all HTTP requests.

  4. Implement IHttpModuleSubscriber to validate the RequestVerificationToken HTTP request header against the anti‑forgery cookie token. Reject all unsafe requests that fail validation.

  5. Register the AntiforgeryOfficeHttpModuleSubscriber at application startup so the DevExpress module can invoke it for matching requests.

See Also

Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET MVC Application