diff --git a/aspnetcore/security/anti-request-forgery.md b/aspnetcore/security/anti-request-forgery.md
index 40fce0454ae0..764483934d98 100644
--- a/aspnetcore/security/anti-request-forgery.md
+++ b/aspnetcore/security/anti-request-forgery.md
@@ -7,7 +7,7 @@ description: Discover how to prevent attacks against web apps where a malicious
 monikerRange: '>= aspnetcore-3.1'
 ms.author: tdykstra
 ms.custom: mvc
-ms.date: 01/22/2026
+ms.date: 06/03/2026
 uid: security/anti-request-forgery
 ---
 # Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
@@ -343,6 +343,23 @@ When a form is submitted without a valid antiforgery token:
 * In the `Development` environment, an exception is thrown.
 * In the `Production` environment, a message is logged.
 
+### HTTP method limitations and `HttpMethodOverrideMiddleware` interaction
+
+`AntiforgeryMiddleware` and `UseAntiforgery()` validate antiforgery tokens only for HTTP **POST**, **PUT**, and **PATCH** requests. Other HTTP methods, such as **DELETE**, aren't validated automatically.
+
+To validate antiforgery tokens for other HTTP methods, resolve <xref:Microsoft.AspNetCore.Antiforgery.IAntiforgery> from DI and call <xref:Microsoft.AspNetCore.Antiforgery.IAntiforgery.ValidateRequestAsync%2A> or <xref:Microsoft.AspNetCore.Antiforgery.IAntiforgery.IsRequestValidAsync%2A> explicitly:
+
+```csharp
+app.MapDelete("/item/{id}", async (int id, IAntiforgery antiforgery, HttpContext context) =>
+{
+    await antiforgery.ValidateRequestAsync(context);
+    // Process the DELETE request
+});
+```
+
+> [!WARNING]
+> When `HttpMethodOverrideMiddleware` is configured with `FormFieldName` (form-field mode) and placed before `AntiforgeryMiddleware`, a POST request can be overridden to DELETE (or another non-validated method). Because `AntiforgeryMiddleware` validates only POST, PUT, and PATCH, the overridden request bypasses antiforgery validation. To protect these endpoints, validate the antiforgery token explicitly using `IAntiforgery.ValidateRequestAsync`.
+
 ## Windows authentication and antiforgery cookies
 
 When using Windows Authentication, application endpoints must be protected against CSRF attacks in the same way as done for cookies. The browser implicitly sends the authentication context to the server and endpoints need to be protected against CSRF attacks.