Why is AntForgeryToken not included in every form by default?

Question

Why is AntForgeryToken not included in every form by default?

I am wondering why this is not the AntiForgeryToken included in every ASP.NET MVC form by default? It seems that the pluses that always include it outweigh the possible flaws. And this behavior can be disabled if necessary, for example, for web forms HttpRequestValidationException .

+4

security asp.net-mvc csrf

Alexander Prokofyev Apr 29 '09 at 10:19

source share

2 answers

I think because you would not want to have it in forms using the GET method.

+4

Çağdaş Tekin Apr 29 '09 at 10:47

source share

Fenton · Accepted Answer · 2009-04-29T10:44:34+0000

In February, AntiForgeryToken was only migrated from “MVC Futures” to “MVC Core”, so the likelihood that the synchronization was not done by the embedded device did not allow this.

Another possible reason is that the team that developed the MVC framework really put all the power into the hands of the developers. You can use something else instead of AntiForgeryToken in the same way as you can use a different testing structure, data structure, etc. This is a new approach when you look at MS historically, where they will use you in using what they put.

Why is AntForgeryToken not included in every form by default?

More articles: