Anti Request Forgery article: Add antiforgery opt-out warning

[wadepickett]

Description

This article demonstrates the use of .DisableAntiForgery() but needs warning to clarfiy on the risks of its use.

Just below the following:

"In the preceding code, posts to:

/todo require a valid antiforgery token.
/todo2 do not require a valid antiforgery token because DisableAntiforgery is called.
C#
app.MapPost("/todo", ([FromForm] Todo todo) => Results.Ok(todo));

app.MapPost("/todo2", ([FromForm] Todo todo) => Results.Ok(todo))
.DisableAntiforgery();"

There should be something like this draft warning which should be applied to all .NET targeted versions of this article that contains the .DisableAnitforgery example:

> [!WARNING]
> Calling `.DisableAntiforgery()` disables cross-site request forgery (CSRF) protection for the endpoint. This should only be used when an endpoint is not vulnerable to CSRF attacks, such as:
>
> - Endpoints that are not callable from a browser (for example, internal APIs)
> - Endpoints secured with non-cookie-based authentication (for example, bearer tokens or API keys)
> - Internal or infrastructure endpoints that do not rely on user cookies
>
> Do **not** disable antiforgery validation for browser-accessible endpoints that rely on cookies for authentication or that process user-submitted form data, as this exposes your application to CSRF attacks. 

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-10.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/anti-request-forgery.md

Document ID

bffca13c-223f-c61f-9cb2-9da8811eecfa

Platform Id

a2883bdf-f8ff-d4f0-ef3e-413f88c39bd2

Article author

@tdykstra

Metadata

• ID: 47b14f57-82ac-a2e2-cbc7-22a81a60f4ac
• PlatformId: a2883bdf-f8ff-d4f0-ef3e-413f88c39bd2
• Service: aspnet-core
• Sub-service: security

Related Issues

---

Associated WorkItem - 546789