Skip to content

Consolidate CSRF migration guidance and update the reference doc#37329

Open
DeagleGross wants to merge 12 commits into
dotnet:mainfrom
DeagleGross:deaglegross-silver-memory
Open

Consolidate CSRF migration guidance and update the reference doc#37329
DeagleGross wants to merge 12 commits into
dotnet:mainfrom
DeagleGross:deaglegross-silver-memory

Conversation

@DeagleGross

@DeagleGross DeagleGross commented Jul 10, 2026

Copy link
Copy Markdown
Member

Consolidates the .NET 10 → 11 CSRF migration guidance and brings the reference doc in line with the shipped middleware behavior.

Changes

  1. Drop the standalone migration article. Deletes aspnetcore/migration/antiforgery-to-csrf.md, removes its toc.yml entry, and adds a redirect to security/csrf-protection.
  2. Inline a short migration section into the general 10→11 guide (migration/100-to-110/includes/security.md). It focuses on what a user upgrading from .NET 10 needs to do, recommends relying on automatic CSRF protection going forward, and notes that the token-based antiforgery system is fine to keep in specific cases (old browsers without Sec-Fetch-Site, IAntiforgeryAdditionalDataProvider, compliance).
  3. Update security/csrf-protection.md to match the current implementation on dotnet/aspnetcore main:

Related implementation PRs: dotnet/aspnetcore#67460, dotnet/aspnetcore#67488, dotnet/aspnetcore#67618.

Opened as draft for review.


Internal previews

📄 File 🔗 Preview link
aspnetcore/blazor/forms/index.md ASP.NET Core Blazor forms overview
aspnetcore/blazor/security/index.md ASP.NET Core Blazor authentication and authorization
aspnetcore/breaking-changes/11/blazor-server-side-rendering-deferred-cross-site-request-forgery-protection.md Blazor server-side rendering defers antiforgery validation to middleware
aspnetcore/migration/100-to-110.md [Visual Studio](https://review.learn.microsoft.com/en-us/aspnet/core/migration/100-to-110?branch=pr-en-us-37329)
aspnetcore/security/anti-request-forgery.md Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
aspnetcore/toc.yml aspnetcore/toc

DeagleGross and others added 2 commits July 10, 2026 09:52
Adds a short "Security" section pointing readers at
<xref:security/csrf-protection> and <xref:migration/antiforgery-to-csrf>.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Splits the guidance into "already uses AddAntiforgery/UseAntiforgery"
vs "doesn't configure antiforgery explicitly", then covers opt-out and
CORS in a single follow-up paragraph.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross
DeagleGross marked this pull request as ready for review July 10, 2026 08:07
@DeagleGross
DeagleGross marked this pull request as draft July 15, 2026 14:00
…plementation

- Delete standalone migration/antiforgery-to-csrf.md; add redirect and remove toc entry
- Inline a short CSRF migration section into the 100-to-110 security include
- Update security/csrf-protection.md to match the shipped middleware:
  scope validation to endpoints with IAntiforgeryMetadata.RequiresValidation,
  record a verdict instead of short-circuiting, correct registration conditions,
  fix examples to form-handling endpoints, and update the log event name/message

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross DeagleGross changed the title Mention automatic CSRF protection in .NET 10 -> 11 migration article Consolidate CSRF migration guidance and update the reference doc Jul 15, 2026
DeagleGross and others added 3 commits July 15, 2026 16:21
… deaglegross/csrf-docs-update

# Conflicts:
#	aspnetcore/migration/antiforgery-to-csrf.md
#	aspnetcore/security/csrf-protection.md
Drop the unsafe-HTTP-methods phrasing; frame scope as endpoints that opt in to antiforgery validation (all Blazor SSR endpoints by default, minimal/MVC via IAntiforgeryMetadata); state JSON-binding endpoints have no behavioral change; and reframe the 400 guidance so opt-out is not presented as a way to suppress the check.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Merge security/csrf-protection.md into security/anti-request-forgery.md so there is a single article. Under Authentication fundamentals, add a Fetch metadata headers subsection (>=11.0). Add an Automatic CSRF protection in ASP.NET Core section before the token-based Antiforgery sections, gated to >=11.0 inside the existing >=8.0 moniker zone (zones are split, not nested). Delete csrf-protection.md, add redirects to anti-request-forgery, remove the toc entry, and repoint all inbound xrefs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@DeagleGross
DeagleGross requested a review from danroth27 July 15, 2026 16:10
@DeagleGross
DeagleGross marked this pull request as ready for review July 15, 2026 16:10
@DeagleGross
DeagleGross requested a review from guardrex as a code owner July 15, 2026 16:10
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@guardrex guardrex left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly just NITs. I'll approve, but either I or someone else will need to approve again for merging.

WRT the em dashes, note that the style manual calls for no spaces around them ...

https://learn.microsoft.com/style-guide/punctuation/dashes-hyphens/

Let me know if you have any questions about any of my suggestions.

Comment thread aspnetcore/blazor/forms/index.md Outdated
Comment thread aspnetcore/blazor/security/index.md Outdated
Comment thread aspnetcore/migration/100-to-110/includes/security.md Outdated
Comment thread aspnetcore/migration/100-to-110/includes/security.md Outdated
Comment thread aspnetcore/migration/100-to-110/includes/security.md Outdated
Comment thread aspnetcore/security/anti-request-forgery.md Outdated
Comment thread aspnetcore/security/anti-request-forgery.md Outdated
Comment thread aspnetcore/security/anti-request-forgery.md Outdated
Comment thread aspnetcore/security/anti-request-forgery.md Outdated
Comment thread aspnetcore/security/anti-request-forgery.md Outdated

@guardrex guardrex left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly just NITs. I'll approve, but either I or someone else will need to approve again for merging.

WRT the em dashes, note that the style manual calls for no spaces around them ...

https://learn.microsoft.com/style-guide/punctuation/dashes-hyphens/

Let me know if you have any questions about any of my suggestions.

@tdykstra tdykstra left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! It looks like you thought of everything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants