ASP.NET Core Anti-Forgery Explained

AntiforgeryTokenSet: RequestToken and CookieToken

Anti-forgery options

services.AddAntiforgery(options => 
options.Cookie.Name = "AntiforgeryCookieName";
options.FormFieldName = "AntiforgeryFieldName";
options.HeaderName = "AntiforgeryHeaderName";
options.SuppressXFrameOptionsHeader = false;
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8NrAkS ... s2-m9Yw">


public void Configure(IApplicationBuilder app, IAntiforgery antiforgery)
app.Use(next => context =>
string path = context.Request.Path.Value;
if (
string.Equals(path, "/", StringComparison.OrdinalIgnoreCase) ||
string.Equals(path, "/index.html", StringComparison.OrdinalIgnoreCase))
// The request token can be sent as a JavaScript-readable cookie,
// and Angular uses it by default.
var tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
new CookieOptions() { HttpOnly = false });
return next(context);
public void ConfigureServices(IServiceCollection services)
// Angular's default header name for sending the XSRF token.
services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");

Single Page Applications (SPA)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store