Web security is more important than ever, especially as attackers get smarter. In this post, you\u2019ll learn how to protect your .NET 8 application against CSRF and XSS attacks using built-in .NET features, middleware, and coding best practices.<\/p>\n\n\n\n
CSRF tricks an authenticated user into unknowingly submitting a request to a web application, potentially changing user data or performing unauthorized actions.<\/p>\n\n\n\n
ASP.NET Core (including .NET 8) provides built-in CSRF protection using anti-forgery tokens, primarily for unsafe HTTP methods (POST, PUT, DELETE).<\/p>\n\n\n\n
<form asp-controller=\"Account\" asp-action=\"UpdateEmail\" method=\"post\">\n @Html.AntiForgeryToken()\n <input type=\"email\" name=\"newEmail\" required \/>\n <button type=\"submit\">Update Email<\/button>\n<\/form><\/code><\/pre>\n\n\n\nValidate the token on POST action<\/h3>\n\n\n\n[HttpPost]\n[ValidateAntiForgeryToken]\npublic IActionResult UpdateEmail(string newEmail)\n{\n \/\/ Update logic\n return Ok();\n}<\/code><\/pre>\n\n\n\nThe [ValidateAntiForgeryToken] attribute ensures that the token is checked and rejects any request without a valid token.<\/p>\n\n\n\n
For APIs: Use SameSite Cookies + Custom Header Tokens<\/h2>\n\n\n\n
CSRF tokens don’t apply well to APIs (since many use application\/json requests without forms), so for Web APIs, consider:<\/p>\n\n\n\n
\n- Use SameSite cookies:<\/strong> Prevent cookies from being sent cross-origin.<\/li>\n\n\n\n
- Require a custom header to confirm origin.<\/li>\n<\/ul>\n\n\n\n
services.Configure<CookiePolicyOptions>(options =>\n{\n options.MinimumSameSitePolicy = SameSiteMode.Strict;\n});<\/code><\/pre>\n\n\n\nOn the client, send a custom header (e.g., X-CSRF-TOKEN) that is validated server-side.<\/p>\n\n\n\n
[HttpPost]\npublic IActionResult SecureApi([FromHeader(Name = \"X-CSRF-TOKEN\")] string csrfToken)\n{\n if (csrfToken != expectedToken)\n {\n return Unauthorized();\n }\n\n return Ok(\"Secure call\");\n}<\/code><\/pre>\n\n\n\nUse middleware or filters to validate CSRF headers globally.<\/p>\n\n\n\n
XSS (Cross-Site Scripting) Protection<\/strong><\/h2>\n\n\n\nWhat is XSS?<\/strong><\/h3>\n\n\n\nXSS attack is injecting malicious scripts into trusted content. These scripts can steal cookies, log keystrokes, or hijack sessions.<\/p>\n\n\n\n
Preventing XSS in .NET 8<\/strong><\/h3>\n\n\n\n.NET automatically HTML-encodes Razor output \u2014 but you still need to follow output encoding, input validation, and content security policies (CSP).<\/p>\n\n\n\n
Razor Pages \/ Views: HTML Encoding by Default<\/strong><\/p>\n\n\n\n<p>@Model.UserComment<\/p> <!-- Safe: encoded by default --><\/code><\/pre>\n\n\n\nAvoid using @Html.Raw() unless absolutely necessary and only on trusted content.<\/p>\n\n\n\n
Server-side Validation and Sanitization<\/strong><\/h3>\n\n\n\nUse regex or libraries to sanitize input:<\/p>\n\n\n\n
if (Regex.IsMatch(comment, @\"<script>\", RegexOptions.IgnoreCase))\n{\n ModelState.AddModelError(\"Comment\", \"Script tags are not allowed.\");\n}<\/code><\/pre>\n\n\n\n