You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: v1/advanced/csrf-protection.mdx
+93-25Lines changed: 93 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,97 @@ If your server-side framework includes cross-site request forgery (CSRF) protect
14
14
15
15
Of course, as already discussed, some server-side frameworks such as Laravel automatically handle the inclusion of the CSRF token when making requests. **Therefore, no additional configuration is required when using one of these frameworks.**
16
16
17
-
However, if you need to handle CSRF protection manually, one approach is to include the CSRF token as a prop on every response. You can then use the token when making Inertia requests.
17
+
### ASP.NET Core Setup
18
+
19
+
ASP.NET Core requires manually configuring the anti-forgery service. We recommend setting the header name to `X-XSRF-TOKEN` to match the default header name used by Axios:
We also recommend adding the following middleware to your application startup:
26
+
27
+
```csharp
28
+
app.UseInertia();
29
+
app.UseMiddleware<CsrfMiddleware>();
30
+
```
31
+
32
+
The `CsrfMiddleware` class validates the CSRF token on non-safe methods and ensures the token is available for Axios on subsequent requests. If the token is invalid, the middleware redirects back with a flash message — returning a `409` for Inertia requests or a `303` for full page requests.
This ensures each Inertia request includes the necessary CSRF token for `POST`, `PUT`, `PATCH`, and `DELETE` requests.
104
+
105
+
### Manual Handling
106
+
107
+
If you need to handle CSRF protection manually, one approach is to include the CSRF token as a prop on every response. You can then use the token when making Inertia requests.
18
108
19
109
<CodeGroup>
20
110
@@ -100,32 +190,10 @@ use Symfony\Component\HttpFoundation\Response;
100
190
});
101
191
```
102
192
103
-
```csharp .NET icon="dotnet"
104
-
usingInertiaCore;
105
-
usingMicrosoft.AspNetCore.Antiforgery;
106
-
107
-
// Program.cs — catch antiforgery validation failures and redirect back
108
-
// with a flash message instead of surfacing the raw 400 to the client.
If you're using ASP.NET Core with the `CsrfMiddleware` shown above, this is already handled — token mismatches automatically redirect back to the previous page with a `flash.error` message in TempData.
196
+
129
197
The end result is a much better experience for your users. Instead of seeing the error modal, the user is instead presented with a message that the page "expired" and are asked to try again.
Copy file name to clipboardExpand all lines: v2/security/csrf-protection.mdx
+93-29Lines changed: 93 additions & 29 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,97 @@ If your server-side framework includes cross-site request forgery (CSRF) protect
14
14
15
15
Of course, as already discussed, some server-side frameworks such as Laravel automatically handle the inclusion of the CSRF token when making requests. **Therefore, no additional configuration is required when using one of these frameworks.**
16
16
17
-
However, if you need to handle CSRF protection manually, one approach is to include the CSRF token as a prop on every response. You can then use the token when making Inertia requests.
17
+
### ASP.NET Core Setup
18
+
19
+
ASP.NET Core requires manually configuring the anti-forgery service. We recommend setting the header name to `X-XSRF-TOKEN` to match the default header name used by Axios:
We also recommend adding the following middleware to your application startup:
26
+
27
+
```csharp
28
+
app.UseInertia();
29
+
app.UseMiddleware<CsrfMiddleware>();
30
+
```
31
+
32
+
The `CsrfMiddleware` class validates the CSRF token on non-safe methods and ensures the token is available for Axios on subsequent requests. If the token is invalid, the middleware redirects back with a flash message — returning a `409` for Inertia requests or a `303` for full page requests.
This ensures each Inertia request includes the necessary CSRF token for `POST`, `PUT`, `PATCH`, and `DELETE` requests.
104
+
105
+
### Manual Handling
106
+
107
+
If you need to handle CSRF protection manually, one approach is to include the CSRF token as a prop on every response. You can then use the token when making Inertia requests.
18
108
19
109
<CodeGroup>
20
110
@@ -90,36 +180,10 @@ use Symfony\Component\HttpFoundation\Response;
90
180
});
91
181
```
92
182
93
-
```csharp .NET icon="dotnet"
94
-
usingInertiaCore;
95
-
usingMicrosoft.AspNetCore.Antiforgery;
96
-
usingMicrosoft.AspNetCore.Diagnostics;
97
-
usingMicrosoft.AspNetCore.Mvc;
98
-
usingMicrosoft.AspNetCore.Mvc.Abstractions;
99
-
usingMicrosoft.AspNetCore.Mvc.Infrastructure;
100
-
101
-
// Program.cs — catch antiforgery validation failures and redirect back
102
-
// with a flash message instead of surfacing the raw 400 to the client.
If you're using ASP.NET Core with the `CsrfMiddleware` shown above, this is already handled — token mismatches automatically redirect back to the previous page with a `flash.error` message in TempData.
186
+
123
187
The end result is a much better experience for your users. Instead of seeing the error modal, the user is instead presented with a message that the page "expired" and are asked to try again.
0 commit comments