Skip to content

Document antiforgery HTTP method limitations and HttpMethodOverride i… #37224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GrantTotinov wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Document antiforgery HTTP method limitations and HttpMethodOverride i… #37224

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion aspnetcore/security/anti-request-forgery.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ description: Discover how to prevent attacks against web apps where a malicious
monikerRange: '>= aspnetcore-3.1'
ms.author: tdykstra
ms.custom: mvc
ms.date: 01/22/2026
ms.date: 06/03/2026
uid: security/anti-request-forgery
---
# Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
Expand Down Expand Up @@ -343,6 +343,23 @@ When a form is submitted without a valid antiforgery token:
* In the `Development` environment, an exception is thrown.
* In the `Production` environment, a message is logged.

### HTTP method limitations and `HttpMethodOverrideMiddleware` interaction

`AntiforgeryMiddleware` and `UseAntiforgery()` validate antiforgery tokens only for HTTP **POST**, **PUT**, and **PATCH** requests. Other HTTP methods, such as **DELETE**, aren't validated automatically.

To validate antiforgery tokens for other HTTP methods, resolve <xref:Microsoft.AspNetCore.Antiforgery.IAntiforgery> from DI and call <xref:Microsoft.AspNetCore.Antiforgery.IAntiforgery.ValidateRequestAsync%2A> or <xref:Microsoft.AspNetCore.Antiforgery.IAntiforgery.IsRequestValidAsync%2A> explicitly:

```csharp
app.MapDelete("/item/{id}", async (int id, IAntiforgery antiforgery, HttpContext context) =>
{
await antiforgery.ValidateRequestAsync(context);
// Process the DELETE request
});
```

> [!WARNING]
> When `HttpMethodOverrideMiddleware` is configured with `FormFieldName` (form-field mode) and placed before `AntiforgeryMiddleware`, a POST request can be overridden to DELETE (or another non-validated method). Because `AntiforgeryMiddleware` validates only POST, PUT, and PATCH, the overridden request bypasses antiforgery validation. To protect these endpoints, validate the antiforgery token explicitly using `IAntiforgery.ValidateRequestAsync`.
Comment on lines +360 to +361

## Windows authentication and antiforgery cookies

When using Windows Authentication, application endpoints must be protected against CSRF attacks in the same way as done for cookies. The browser implicitly sends the authentication context to the server and endpoints need to be protected against CSRF attacks.
Expand Down
Loading