Skip to content

Add reference doc for automatic CSRF protection in .NET 11#37230

Open
DeagleGross wants to merge 5 commits into
mainfrom
deaglegross/csrf-fetch-metadata-docs
Open

Add reference doc for automatic CSRF protection in .NET 11#37230
DeagleGross wants to merge 5 commits into
mainfrom
deaglegross/csrf-fetch-metadata-docs

Conversation

@DeagleGross
Copy link
Copy Markdown
Member

@DeagleGross DeagleGross commented Jun 5, 2026
edited by github-actions Bot
Loading

Summary

Adds a new reference doc at aspnetcore/security/csrf-protection.md documenting the new automatic Cross-Site Request Forgery (CSRF) protection middleware shipping in .NET 11 (implementation PR: dotnet/aspnetcore#66585, issue: dotnet/aspnetcore#65127).

The new middleware is auto-injected by WebApplication.CreateBuilder and validates Sec-Fetch-Site and Origin headers rather than synchronized tokens. It's additive to the existing token-based antiforgery system documented in security/anti-request-forgery.md; the two coexist.

What's in the doc

  • How it works — 6-step decision flow (safe methods → Sec-Fetch-Site → resolved CORS policy → Sec-Fetch-Site deny → Origin-vs-Host fallback → non-browser allow), with a short subsection on why Sec-Fetch-Site and Origin are trustworthy (forbidden request headers — JS can't override them).
  • Default behavior — minimal app is already protected; integration with .DisableAntiforgery() and [IgnoreAntiforgeryToken].
  • Allowing cross-origin clients — how the middleware reuses the CORS-resolved policy (per-endpoint named → default → fall through). AllowAnyOrigin is intentionally not honored as a CSRF trust signal. [DisableCors] is not a CSRF opt-out.
  • Opting an endpoint out — Minimal API .DisableAntiforgery() and MVC [IgnoreAntiforgeryToken], both bridged to the same IAntiforgeryMetadata in .NET 11.
  • Disabling globallyDisableCsrfProtection config key.
  • Browser support — modern (Sec-Fetch-Site), legacy (Origin fallback), non-browser (allowed).
  • Customizing: implement ICsrfProtection — interface, registration pattern, sample allowlist implementation.
  • Interaction with token-based antiforgery — comparison table and coexistence guidance.
  • Adopting CSRF-only protection in existing apps — how to remove UseAntiforgery() / token form fields when the app targets modern browsers and doesn't rely on IAntiforgeryAdditionalDataProvider.
  • Troubleshooting — 400-from-SPA diagnosis, debug logging category/event name, curl reproducer.

Follow-up commits planned in this PR

This is the first of several files in the plan. Subsequent commits to this branch will add:

  • aspnetcore/migration/antiforgery-to-csrf.md — standalone migration / "I just upgraded and my SPA gets 400s" guide.
  • aspnetcore/migration/100-to-110/includes/csrf.md plus ## Security section in 100-to-110.md referencing it.
  • aspnetcore/release-notes/aspnetcore-11/includes/csrf-protection.md plus a ## Security section in aspnetcore-11.md.
  • Callout at the top of the existing aspnetcore/security/anti-request-forgery.md (inside the >= aspnetcore-8.0 moniker block) linking out to this new doc and the migration article.
  • aspnetcore/toc.yml entry under Security and a migration entry.

Marked as draft until the follow-ups land.

Verification

All <xref:...> targets resolve against existing uids in the repo:

  • security/anti-request-forgery
  • security/cors
  • security/data-protection/introduction

Code claims (decision flow, MVC bridge, CORS resolution order, config key, log category) were cross-checked against the implementation on dotnet/aspnetcore branch dmkorolev/csrf-pr:

  • src/DefaultBuilder/src/Internal/DefaultCsrfProtection.cs
  • src/DefaultBuilder/src/Internal/CsrfProtectionMiddleware.cs
  • src/DefaultBuilder/src/WebApplicationBuilder.cs
  • src/DefaultBuilder/src/WebHost.cs
  • src/Http/Http.Abstractions/src/Antiforgery/ICsrfProtection.cs and CsrfProtectionResult.cs
  • src/Mvc/Mvc.ViewFeatures/src/Filters/AntiforgeryApplicationModelProvider.cs
  • src/Middleware/CORS/src/Infrastructure/CorsEndpointConventionBuilderExtensions.cs

Internal previews

📄 File 🔗 Preview link
aspnetcore/migration/antiforgery-to-csrf.md aspnetcore/migration/antiforgery-to-csrf
aspnetcore/security/csrf-protection.md aspnetcore/security/csrf-protection
aspnetcore/toc.yml aspnetcore/toc

DeagleGross and others added 5 commits June 5, 2026 14:25
@DeagleGross
Add reference doc for automatic CSRF protection in .NET 11
33bbb82 
Introduces aspnetcore/security/csrf-protection.md covering the new auto-injected CsrfProtectionMiddleware that ships in .NET 11. Documents:

* Decision flow (Sec-Fetch-Site / Origin / CORS / non-browser fallback)

* Why the headers can be trusted (forbidden request headers)

* Default behavior and integration with .DisableAntiforgery() / [IgnoreAntiforgeryToken]

* Allowing cross-origin clients through resolved CORS policy

* Per-endpoint opt-out and global DisableCsrfProtection escape hatch

* ICsrfProtection customization, browser support, troubleshooting

* Adopting CSRF-only protection in apps currently on the token-based system

Follow-up commits in this PR will add a migration article (xref:migration/antiforgery-to-csrf), a callout in the existing anti-request-forgery doc, the .NET 11 release-notes include, and toc.yml entries.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross
Add migration guide: Adopt automatic CSRF protection in .NET 11
c8b3022 
Adds aspnetcore/migration/antiforgery-to-csrf.md as a standalone article

that leads with the positive recommendation (modern apps can drop the

token-based system in favor of the automatic CSRF middleware) and includes

an upgrade-troubleshooting section for the cross-origin 400 case.

Also trims the duplicate 'Adopting CSRF-only protection' section in

csrf-protection.md to a one-line pointer, and links the new article from

Additional resources.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross
Remove Blazor SSR carve-outs from migration article
7019e7e 
Blazor SSR's antiforgery dependency is likely to change, so don't mention

it as a reason to keep the token-based system.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross
Fix API name, table header, and tighten phrasing
90385ae 
- antiforgery-to-csrf.md: replace fictional .RequireAntiforgeryToken()
  extension with the real RequireAntiforgeryTokenAttribute. Drop the
  reference to scripts from the IAntiforgery sentence (it's server-side).
  Soften "most apps that are upgrading have UseAntiforgery()" to "most
  apps that use the token-based system have UseAntiforgery()".
- csrf-protection.md: add "Aspect" header to the first column of the
  Interaction-with-token-based-antiforgery comparison table.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross
Add TOC entries for CSRF protection docs
b2bf7b5 
- Security: "Automatic CSRF protection" after the existing antiforgery
  entry, pointing to security/csrf-protection.
- Migration and updates: "Adopt automatic CSRF protection in .NET 11"
  right after Overview, pointing to migration/antiforgery-to-csrf.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross DeagleGross marked this pull request as ready for review June 5, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DeagleGross