0

My ASP.NET MVC application has multiple pages, most of these can only be accessed after logging in.

Should i add the AntiForgeryToken to every POST request or only the areas which i feel are important?

I will definitely be adding it to the Login page but do i also need it for the publicly accessible Register page?

user1786107
  • 2,921
  • 5
  • 24
  • 35
  • 1
    [When the use of a AntiForgeryToken is not required /needed?](http://security.stackexchange.com/questions/2120/when-the-use-of-a-antiforgerytoken-is-not-required-needed) –  May 27 '16 at 12:14
  • 1
    It costs nothing and requires virtually no effort to use it. If it then enhances security of your application *at all*, why not just use it? – Chris Pratt May 27 '16 at 12:42

1 Answers1

1

It's a good rule to add it to every POST action. Even if you think the action doesn't need it. Because you don't know what changes to that action may occur in the future.

Where I work, it's a standard that we all follow.

Clint B
  • 4,610
  • 2
  • 18
  • 22