AngularJS Web Api AntiForgeryToken CSRF

by

Add to the ASP.NET MVC View that serves the AngularJS SPA, let’s say Views\Home\Index.cshtml, the HTML helper that generates the
AntiForgeryToken.

@Html.AntiForgeryToken();

Configure AngularJS to pass the above generated AntiForgeryToken as Request Header.

angular.module('app')
.run(function ($http) {
    $http.defaults.headers.common['X-XSRF-Token'] =
        angular.element('input[name="__RequestVerificationToken"]').attr('value');
});

Create a custom Web API Filter to validate all non-GET requests (PUT, PATCH, POST, DELETE).

This assumes that all your GET requests are safe and don’t need protecting.
If that’s not the case, remove the if (actionContext.Request.Method.Method != "GET") exclusion.

using System;
using System.Linq;
using System.Net.Http;
using System.Web.Helpers;
using System.Web.Http.Filters;

namespace Care.Web.Filters
{
    public sealed class WebApiValidateAntiForgeryTokenAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting(
            System.Web.Http.Controllers.HttpActionContext actionContext)
        {
            if (actionContext == null)
            {
                throw new ArgumentNullException("actionContext");
            }

            if (actionContext.Request.Method.Method != "GET")
            {
                var headers = actionContext.Request.Headers;
                var tokenCookie = headers
                    .GetCookies()
                    .Select(c => c[AntiForgeryConfig.CookieName])
                    .FirstOrDefault();

                var tokenHeader = string.Empty;
                if (headers.Contains("X-XSRF-Token"))
                {
                    tokenHeader = headers.GetValues("X-XSRF-Token").FirstOrDefault();
                }

                AntiForgery.Validate(
                    tokenCookie != null ? tokenCookie.Value : null, tokenHeader);
            }

            base.OnActionExecuting(actionContext);
        }
    }
}

Register the newly created filter as a global one, in Global.asax.cs.

    private static void RegisterWebApiFilters(HttpFilterCollection filters)
    {
        filters.Add(new WebApiValidateAntiForgeryTokenAttribute());
    }

Alternatively, if you don’t wish to add this filter globally, you can put it only on certain Web API actions, like this

[WebApiValidateAntiForgeryToken]

This, of course, is by definition less secure, as there’s always the chance that you’ll forget to apply the attribute to an action that needs it.

Also, note that you must have the Microsoft.AspNet.WebApi.Core package in order to have access to System.Web.Http namespace. You can install it via NuGet with Install-Package Microsoft.AspNet.WebApi.Core.

This post has been heavily inspired by this blog post.

More Related Contents:

  1. MVC web api: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  2. How to secure an ASP.NET Web API [closed]
  3. How to return a file (FileContentResult) in ASP.NET WebAPI
  4. How to add/update child entities when updating a parent entity in EF
  5. Download file from an ASP.NET Web API method using AngularJS
  6. Make sure that the controller has a parameterless public constructor error
  7. Web API Put Request generates an Http 405 Method Not Allowed error
  8. ASP.NET Core MVC : How to get raw JSON bound to a string without a type?
  9. How can I use a reserved keyword as an identifier in my JSON model class?
  10. Deserialising JSON to derived types in Asp.Net Web API
  11. prevent property from being serialized in web API
  12. How to update a claim in ASP.NET Identity?
  13. Difference between MVC 5 Project and Web Api Project
  14. 404 error after adding Web API to an existing MVC Web Application
  15. How to extend IdentityUser with custom property
  16. Return HTML from ASP.NET Web API
  17. TempData null in asp.net core
  18. MVC Attribute Routing Not Working
  19. POST string to ASP.NET Web Api application – returns null
  20. How to add Web API to an existing ASP.NET MVC (5) Web Application project?
  21. Effectively use async/await with ASP.NET Web API
  22. Read HttpContent in WebApi controller
  23. Web Api Request Content is empty in action filter
  24. Why is this web api controller not concurrent?
  25. ASP.NET Web API and [Serializable] class
  26. How to add and get Header values in WebApi
  27. Web API in MVC solution in separate project
  28. WCF Service or Web API [closed]
  29. JSON Deserialization – String Is Automatically Converted To Int
  30. What is the difference between DependencyResolver.SetResolver and HttpConfiguration.DependencyResolver in WebAPI

Leave a Comment