Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion aspnetcore/blazor/forms/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,7 @@ The the `DisableCsrfProtection` configuration setting can be supplied by any con
> [!WARNING]
> Disabling the automatic CSRF protection middleware removes the default header-based (`Sec-Fetch-Site`/`Origin`) protection for the entire app. Only disable it if you provide an alternative CSRF defense, such as explicitly adopting token-based antiforgery middleware by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A>.

For more information, see <xref:security/csrf-protection>.
For more information, see [Automatic CSRF protection](xref:security/anti-request-forgery#automatic-csrf-protection-in-aspnet-core).

> [!IMPORTANT]
> The following guidance on the <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryToken> component and the <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryStateProvider> service only apply to an app that explicitly adopts token-based Antiforgery Middleware by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> in its request processing pipeline.
Expand Down
2 changes: 1 addition & 1 deletion aspnetcore/blazor/security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ The the `DisableCsrfProtection` configuration setting can be supplied by any con
> [!WARNING]
> Disabling the automatic CSRF protection middleware removes the default header-based (`Sec-Fetch-Site`/`Origin`) protection for the entire app. Only disable it if you provide an alternative CSRF defense, such as explicitly adopting token-based antiforgery middleware by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A>.

For more information, see <xref:security/csrf-protection>.
For more information, see [Automatic CSRF protection](xref:security/anti-request-forgery#automatic-csrf-protection-in-aspnet-core).

> [!IMPORTANT]
> The following guidance on the <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryToken> component and the <xref:Microsoft.AspNetCore.Components.Forms.AntiforgeryStateProvider> service only apply to an app that explicitly adopts token-based antiforgery middleware by calling <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> in its request processing pipeline.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ app.UseAntiforgery();

Apps that call `app.UseAntiforgery()`, directly or implicitly through `AddRazorComponents`, require no changes.

If you intentionally removed `app.UseAntiforgery()` and want to rely on the automatic cross-origin CSRF protection instead, no action is required. Be aware that antiforgery tokens are no longer generated for your forms, and cross-origin form posts are rejected based on `Sec-Fetch-Site` and `Origin` rather than tokens. For more information, see <xref:security/csrf-protection> and <xref:migration/antiforgery-to-csrf>.
If you intentionally removed `app.UseAntiforgery()` and want to rely on the automatic cross-origin CSRF protection instead, no action is required. Be aware that antiforgery tokens are no longer generated for your forms, and cross-origin form posts are rejected based on `Sec-Fetch-Site` and `Origin` rather than tokens. For more information, see <xref:security/anti-request-forgery> and <xref:migration/100-to-110>.

## Affected APIs

Expand Down
6 changes: 5 additions & 1 deletion aspnetcore/migration/100-to-110.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11
author: wadepickett
description: Learn how to migrate an ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11.
ms.author: wpickett
ms.date: 06/09/2026
ms.date: 07/15/2026
uid: migration/100-to-110
---
# Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11
Expand Down Expand Up @@ -73,6 +73,10 @@ In the project file, update each [`Microsoft.AspNetCore.*`](https://www.nuget.or

[!INCLUDE[](~/migration/100-to-110/includes/blazor.md)]

## Security

[!INCLUDE[](~/migration/100-to-110/includes/security.md)]

## Breaking changes

Use the articles in [Breaking changes in .NET](/dotnet/core/compatibility/breaking-changes) to find breaking changes that might apply when upgrading an app to a newer version of .NET.
22 changes: 22 additions & 0 deletions aspnetcore/migration/100-to-110/includes/security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
### Automatic CSRF protection

.NET 11 adds automatic Cross-Site Request Forgery (CSRF) protection. When an app is built with `WebApplication.CreateBuilder` and has endpoints, a middleware is wired up by default that inspects the `Sec-Fetch-Site` and `Origin` headers and records a validation verdict on the request.

The middleware validates endpoints that opt in to antiforgery validation—that is, endpoints with metadata implementing `IAntiforgeryMetadata` where `RequiresValidation` is `true`. The framework sets this automatically for:

* All Blazor server-side rendering (SSR) endpoints. Each is protected by default; a page can opt out with `@attribute [RequireAntiforgeryToken(false)]`.
* Minimal API endpoints that bind form data.
* MVC actions that use antiforgery validation, such as those annotated with `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]`.

Endpoints that bind JSON, such as a plain `MapPost` or a Web API `[HttpPost]` action, have no behavioral change.

Going forward, the automatic CSRF protection is the recommended defense, and most apps no longer need the token-based antiforgery system. Keep the token-based system when the app must support browsers that don't send `Sec-Fetch-Site`, uses <xref:Microsoft.AspNetCore.Antiforgery.IAntiforgeryAdditionalDataProvider>, or must keep the token defense as an independent layer for a compliance requirement. Both protections can coexist.

To simplify an app that configures antiforgery explicitly, drop the <xref:Microsoft.Extensions.DependencyInjection.AntiforgeryServiceCollectionExtensions.AddAntiforgery%2A> and <xref:Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery%2A> calls and rely on the automatic protection. For most apps, this is a one-line change with no other code updates. For Blazor static SSR, removing `app.UseAntiforgery()` also stops antiforgery token generation for rendered forms; see [Blazor server-side rendering defers antiforgery validation to middleware](/aspnet/core/breaking-changes/11/blazor-server-side-rendering-deferred-cross-site-request-forgery-protection).

A `400 Bad Request` on a cross-origin form post is the CSRF protection working as intended. When the request comes from a legitimate origin, allow that origin rather than suppressing the check:

* Configure [CORS](xref:security/cors) so the endpoint's resolved policy includes the caller's origin. The CSRF middleware honors that policy and allows the request.
* Only opt an endpoint out with `.DisableAntiforgery()` (minimal APIs) or `[IgnoreAntiforgeryToken]` (MVC) when it isn't vulnerable to CSRF, such as an endpoint that isn't reachable from a browser or that authenticates with a non-cookie mechanism (for example, bearer authentication).

For a full description of the middleware, the validation rules, and how it interacts with the token-based antiforgery system, see [Automatic CSRF protection in ASP.NET Core](xref:security/anti-request-forgery#automatic-csrf-protection-in-aspnet-core).
229 changes: 0 additions & 229 deletions aspnetcore/migration/antiforgery-to-csrf.md

This file was deleted.

6 changes: 3 additions & 3 deletions aspnetcore/release-notes/aspnetcore-11/includes/blazor.md
Original file line number Diff line number Diff line change
Expand Up @@ -790,16 +790,16 @@ For more information, see [Fix TempData and SupplyParameterFromSession persisten

### Redundant `app.UseAntiforgery()` removed from Blazor Web App templates

[CSRF protection](xref:security/csrf-protection) is enabled by default via the auto-injected CSRF Protection Middleware, so the explicit `app.UseAntiforgery()` call in Blazor Web App templates has been removed.
[CSRF protection](xref:security/anti-request-forgery#automatic-csrf-protection-in-aspnet-core) is enabled by default via the auto-injected CSRF protection middleware, so the explicit `app.UseAntiforgery()` call in Blazor Web App templates has been removed.

For more information, see the following resources:

* <xref:migration/antiforgery-to-csrf>
* <xref:migration/100-to-110>
* [Blazor server-side rendering defers antiforgery validation to middleware (breaking change announcement)](/aspnet/core/breaking-changes/11/blazor-server-side-rendering-deferred-cross-site-request-forgery-protection)

General coverage for the new automatic CSRF protection in ASP.NET Core:

* <xref:security/csrf-protection>
* <xref:security/anti-request-forgery>
* <xref:blazor/forms/index#antiforgery-support>
* <xref:blazor/security/index#antiforgery-support>

Expand Down
Loading
Loading