In .net Core with we use Configure antiforgery features with IAntiforgery along with [ValidateAntiForgeryToken] or AutoValidateAntiforgeryToken to Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks.
To configure antiforgery feature in middleware we use
var antiforgery = app.Services.GetRequiredService<IAntiforgery>();
app.Use((context, next) =>
{
var requestPath = context.Request.Path.Value;
if (string.Equals(requestPath, "/", StringComparison.OrdinalIgnoreCase)
|| string.Equals(requestPath, "/index.html", StringComparison.OrdinalIgnoreCase))
{
var tokenSet = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokenSet.RequestToken!,
new CookieOptions { HttpOnly = false });
}
return next(context);
});
Now my Question is If We set new CookieOptions { HttpOnly = True });
then what changes do we need to do at server side as well as client side
CodePudding user response:
Changes on client-side? Realistically, absolutely none.
It should be easier to use an HTTPOnly cookie rather than extracting and storing your client-side cookie/token manually. The HttpOnly cookie just stops the cookie from being interceptable via client-side JavaScript. As long as you aren't actually trying to grab that cookie from the request (and why would you, it's stored in cookies!), then it will automatically be sent along with all of your requests.
Server-side should work the same as always. HttpOnly is a client-side change