Solving '__RequestVerificationToken' Anti-Forgery Form Field is Present for Enhanced Security

In web applications, Cross-Site Request Forgery (CSRF) is a common vulnerability that can lead to unauthorized actions being performed on behalf of an authenticated user. To mitigate this risk, developers often use anti-forgery tokens, such as the __RequestVerificationToken field in ASP.NET applications. This guide will walk you through the process of ensuring this field is present in your forms, enhancing your application's security.


Step 1: Enable Anti-Forgery Token Validation

To start using the __RequestVerificationToken field in your ASP.NET Core application, you need to enable anti-forgery token validation. This can be done by adding the [ValidateAntiForgeryToken] attribute to your controller actions that handle form submissions.

public IActionResult SubmitForm(MyViewModel model)
    // Your form processing logic here

This attribute tells the application to validate the presence of the __RequestVerificationToken field in the submitted form data.

Step 2: Include the Anti-Forgery Token in Your Form

Now that you've enabled token validation, you need to include the __RequestVerificationToken field in your forms. In an ASP.NET Core application, you can use the @Html.AntiForgeryToken() helper method to generate the field.

<form method="post">
    <!-- Your form fields here -->
    <button type="submit">Submit</button>

This will render an <input> element with the __RequestVerificationToken name and a unique value for each form instance.

Step 3: Verify the Token's Presence

When a form is submitted, the application will automatically verify the presence and validity of the __RequestVerificationToken field. If the token is missing or invalid, the request will be rejected, and an AntiForgeryValidationException will be thrown.

To handle this exception, you can add a custom exception filter to your application. In the Startup class, include the following code:

public void ConfigureServices(IServiceCollection services)
    services.AddMvc(options =>
        options.Filters.Add(new ValidateAntiForgeryTokenAttribute());
        options.Filters.Add(new CustomExceptionFilter());

Then, create the CustomExceptionFilter class:

public class CustomExceptionFilter : ExceptionFilterAttribute
    public override void OnException(ExceptionContext context)
        if (context.Exception is AntiForgeryValidationException)
            context.Result = new BadRequestObjectResult("Invalid or missing anti-forgery token");
            context.ExceptionHandled = true;

This will handle AntiForgeryValidationException instances and return a 400 Bad Request response with a custom error message.

Frequently Asked Questions

h3 What is the __RequestVerificationToken field used for?

The __RequestVerificationToken field is used to store a unique anti-forgery token in a form. This token helps protect your application from CSRF attacks by ensuring that form submissions are coming from your own application and not from a malicious third-party site.

h3 Can I use a custom token name instead of __RequestVerificationToken?

Yes, you can use a custom token name by setting the AntiForgeryOptions.FormFieldName property in your application's Startup class:

services.AddAntiforgery(options =>
    options.FormFieldName = "MyCustomTokenName";

h3 Does the __RequestVerificationToken field need to be included in every form?

It's recommended to include the __RequestVerificationToken field in every form that performs a state-changing operation (e.g., creating, updating, or deleting data). This helps protect your application from CSRF attacks.

h3 What happens if the __RequestVerificationToken field is missing or invalid?

If the __RequestVerificationToken field is missing or invalid, the request will be rejected, and an AntiForgeryValidationException will be thrown. This exception should be handled by your application to provide a meaningful error message to the user.

h3 Can I use the __RequestVerificationToken field in AJAX requests?

Yes, you can include the __RequestVerificationToken field in your AJAX requests by adding it as a header:

    type: "POST",
    url: "/MyController/MyAction",
    data: { /* Your data here */ },
    headers: { "RequestVerificationToken": "@Html.AntiForgeryToken()" }

This will ensure that the token is included in your AJAX requests and validated by the server.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.