Allow cross site post request on specific ASP.NET Core controller
Question
I am using a complex template for my new ASP.NET Core application. Now I wanted to create a new controller which receives a POST request from another external server. That didn't work. I tried a lot until I found out that there is a mechanism set up which only allows POST request to access my controller which have a certain header (X-XSRF-TOKEN). This is done to prevent a Cross-Site-Request-Forgery attack.
However one specific controller should allow such requests, because this controller is not used from the webpage visitors browser. Is there a way to annotate the controller or any other way to allow this exception?
2 answers
solution1
1 2016-10-05 20:06:00
I finally found the answer and it is indeed possible by using an annotation. Just annotate your controller or action with [IgnoreAntiforgeryTokenAttribute] and the whole XSRF mechanism won't bother your controller any more.
solution2
1 2016-10-05 20:54:03
Note that even if you don't intend to use that controller action from a browser, if it can be accessed via http, it may easily be susceptible to CSRF. An attacker may still for example create a rogue webpage, which if visited by one of your users, makes the user send a request to that action. If session management is cookie-based or equivalent and the action changes server state, it would still be an exploitable vulnerability.
So while you can turn of CSRF protection, you need to consider consequences carefully.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.