Skip to content

Add antiforgery/CSRF protection for form endpoints#2430

Merged
jeremydmiller merged 1 commit intomainfrom
2407-antiforgery-support
Apr 3, 2026
Merged

Add antiforgery/CSRF protection for form endpoints#2430
jeremydmiller merged 1 commit intomainfrom
2407-antiforgery-support

Conversation

@jeremydmiller
Copy link
Copy Markdown
Member

@jeremydmiller jeremydmiller commented Apr 3, 2026

Summary

  • Automatically apply IAntiforgeryMetadata with RequiresValidation=true for [FromForm] and file upload endpoints
  • Add [DisableAntiforgery] attribute to opt out (method or class level)
  • Add [ValidateAntiforgery] attribute to opt in for non-form endpoints
  • Add RequireAntiforgeryOnAll() convenience method on WolverineHttpOptions
  • Leverages ASP.NET Core's built-in antiforgery middleware — no additional packages needed
  • Added documentation page with code samples

Test plan

  • 5 unit tests covering form auto-detection, non-form exclusion, disable/enable attributes, class-level disable
  • All tests pass on net9.0
  • Builds on net8.0 and net9.0

Closes #2407

🤖 Generated with Claude Code

@jeremydmiller @claude
Add antiforgery/CSRF token validation for Wolverine.HTTP form endpoints
12cd2ac 
Automatically apply IAntiforgeryMetadata (RequiresValidation=true) for
[FromForm] and file upload endpoints. Add [DisableAntiforgery] to opt out
and [ValidateAntiforgery] to opt in for non-form endpoints. Add
RequireAntiforgeryOnAll() convenience method. Leverages ASP.NET Core's
built-in antiforgery middleware with no additional packages.

Closes #2407

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jeremydmiller jeremydmiller merged commit 8cb5ac3 into main Apr 3, 2026
15 of 19 checks passed
jeremydmiller added a commit that referenced this pull request Apr 3, 2026
@jeremydmiller @claude
Make automatic antiforgery metadata opt-in to fix HTTP test failures
80c7f20 
The antiforgery PR (#2430) automatically applied IAntiforgeryMetadata to
all form endpoints, which caused ASP.NET Core's EndpointMiddleware to
throw when UseAntiforgery() was not in the pipeline. This broke all
form-related HTTP tests and any standalone test builders.

Changed to opt-in via AutoAntiforgeryOnFormEndpoints() on
WolverineHttpOptions. Explicit [ValidateAntiforgery] and
[DisableAntiforgery] attributes still work regardless of the setting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Apr 7, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Anti-forgery/CSRF token validation for Wolverine.HTTP form endpoints

1 participant

@jeremydmiller