如何在 Asp.Net Core 中全局防止 XSS 和 CSRF

Question

I want to prevent my application from XSS and CSRF attacks, I want to make some global check to prevent these.

I have used below code in statup file in ConfigureServices function, it prevents CSRF attacks but I am not sure is it enough to prevent both the attacks or do I need to write some code to prevent XSS separately.

services.AddMvc(options => 
    options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));

One more doubt : will it work for an API application?

Answer 1

XSS and CSRF are completely different kinds of attacks which have to be defended against in completely different ways.

XSS requires that user input be appropriately escaped for the very specific context in which it is inserted. There is no panacea for it. You cannot solve it globally. (There are various techniques which look for suspicious content in requests which might be XSS but they are rather prone to throwing false positives).