Consolidate CSRF migration guidance and update the reference doc#37329
Consolidate CSRF migration guidance and update the reference doc#37329DeagleGross wants to merge 12 commits into
Conversation
Adds a short "Security" section pointing readers at <xref:security/csrf-protection> and <xref:migration/antiforgery-to-csrf>. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Splits the guidance into "already uses AddAntiforgery/UseAntiforgery" vs "doesn't configure antiforgery explicitly", then covers opt-out and CORS in a single follow-up paragraph. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…plementation - Delete standalone migration/antiforgery-to-csrf.md; add redirect and remove toc entry - Inline a short CSRF migration section into the 100-to-110 security include - Update security/csrf-protection.md to match the shipped middleware: scope validation to endpoints with IAntiforgeryMetadata.RequiresValidation, record a verdict instead of short-circuiting, correct registration conditions, fix examples to form-handling endpoints, and update the log event name/message Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… deaglegross/csrf-docs-update # Conflicts: # aspnetcore/migration/antiforgery-to-csrf.md # aspnetcore/security/csrf-protection.md
Drop the unsafe-HTTP-methods phrasing; frame scope as endpoints that opt in to antiforgery validation (all Blazor SSR endpoints by default, minimal/MVC via IAntiforgeryMetadata); state JSON-binding endpoints have no behavioral change; and reframe the 400 guidance so opt-out is not presented as a way to suppress the check. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Merge security/csrf-protection.md into security/anti-request-forgery.md so there is a single article. Under Authentication fundamentals, add a Fetch metadata headers subsection (>=11.0). Add an Automatic CSRF protection in ASP.NET Core section before the token-based Antiforgery sections, gated to >=11.0 inside the existing >=8.0 moniker zone (zones are split, not nested). Delete csrf-protection.md, add redirects to anti-request-forgery, remove the toc entry, and repoint all inbound xrefs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
guardrex
left a comment
There was a problem hiding this comment.
Mostly just NITs. I'll approve, but either I or someone else will need to approve again for merging.
WRT the em dashes, note that the style manual calls for no spaces around them ...
https://learn.microsoft.com/style-guide/punctuation/dashes-hyphens/
Let me know if you have any questions about any of my suggestions.
guardrex
left a comment
There was a problem hiding this comment.
Mostly just NITs. I'll approve, but either I or someone else will need to approve again for merging.
WRT the em dashes, note that the style manual calls for no spaces around them ...
https://learn.microsoft.com/style-guide/punctuation/dashes-hyphens/
Let me know if you have any questions about any of my suggestions.
tdykstra
left a comment
There was a problem hiding this comment.
Nice work! It looks like you thought of everything.
Consolidates the .NET 10 → 11 CSRF migration guidance and brings the reference doc in line with the shipped middleware behavior.
Changes
aspnetcore/migration/antiforgery-to-csrf.md, removes itstoc.ymlentry, and adds a redirect tosecurity/csrf-protection.migration/100-to-110/includes/security.md). It focuses on what a user upgrading from .NET 10 needs to do, recommends relying on automatic CSRF protection going forward, and notes that the token-based antiforgery system is fine to keep in specific cases (old browsers withoutSec-Fetch-Site,IAntiforgeryAdditionalDataProvider, compliance).security/csrf-protection.mdto match the current implementation ondotnet/aspnetcoremain:IAntiforgeryMetadata { RequiresValidation = true }(form-handling endpoints). PlainMapPost/[HttpPost]JSON endpoints pass through, so nothing that worked on .NET 10 breaks on .NET 11 (Scope default CSRF middleware to endpoints opting in viaIAntiforgeryMetadataaspnetcore#67460).400.UseAntiforgery()can overwrite the verdict.ICsrfProtectionregistered,DisableCsrfProtectionunset) and post-routing ordering (Fix CsrfProtectionMiddleware perf degradations aspnetcore#67488, Rerun PostRoutingPipeline on Rerouting aspnetcore#67618).CsrfValidationFailed) and message.Related implementation PRs: dotnet/aspnetcore#67460, dotnet/aspnetcore#67488, dotnet/aspnetcore#67618.
Opened as draft for review.
Internal previews