Add guidance on the SecurePolicy for the antiforgery cookie #36188
Description
Description
Tom, I'll take care of this one.
The section on options only throws the reader over to AntiforgeryOptions.Cookie with very minimal coverage on SecurePolicy ...
- https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-9.0#configure-antiforgery-with-antiforgeryoptions
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.antiforgery.antiforgeryoptions.cookie?view=aspnetcore-9.0
SecurePolicydefaults toNone.
Let's flesh out additional guidance ...
- Comment on
SecurePolicy: https://github.com/dotnet/aspnetcore/blob/main/src/Antiforgery/src/AntiforgeryOptions.cs#L26-L31 - Enhance cookie security in Entra BFF sample blazor-samples#586 (comment)
As part of this, we can cross-link this section into the Blazor BWA+OIDC/Entra articles as an additional resource.
Example to enable secure cookies over SSL (HTTPS) ...
// Optionally, you can secure the antiforgery cookie in non-Development
// environments using Secure Sockets Layer (SSL), over HTTPS only, with
// the following code. For more information, see the AntiforgeryOptions
// reference source remarks for SecurePolicy at:
// https://github.com/dotnet/aspnetcore/blob/main/src/Antiforgery/src/AntiforgeryOptions.cs
if (!builder.Environment.IsDevelopment())
{
builder.Services.AddAntiforgery(o =>
{
o.Cookie.SecurePolicy = CookieSecurePolicy.Always;
});
}Page URL
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/anti-request-forgery.md
Document ID
bffca13c-223f-c61f-9cb2-9da8811eecfa
Platform Id
a2883bdf-f8ff-d4f0-ef3e-413f88c39bd2
Article author
Metadata
- ID: 47b14f57-82ac-a2e2-cbc7-22a81a60f4ac
- PlatformId: a2883bdf-f8ff-d4f0-ef3e-413f88c39bd2
- Service: aspnet-core
- Sub-service: security