Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Phil Dye 149 posts 325 karma points
    Feb 14, 2022 @ 14:34
    Phil Dye
    0

    Disabling AntiForgeryToken/__RequestVerificationToken in BeginUmbracoForm

    To run a site behind a CDN, I need to disable the built-in anti-CSRF token stuff so that Html.BeginUmbracoForm() doesn't output the token.

    How can I do that with v9?

    I need to ensure there are no tokens, as my attempts to set Cache-Control headers are being overridden with a log warning;

    The 'Cache-Control' and 'Pragma' headers have been overridden and set to 'no-cache, no-store' and 'no-cache' respectively to prevent caching of this response. Any response that uses antiforgery should not be cached

    Phil

  • Phil Dye 149 posts 325 karma points
    Feb 16, 2022 @ 15:08
    Phil Dye
    101

    I've eventually solved this by injecting my own IAntiforgery class that basically does nothing - very quick-and-dirty, but seems to do the job;

    public class NullAntiforgery : IAntiforgery
    {
        private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
        private const string AntiforgeryTokenHeaderName = "RequestVerificationToken";
    
        public AntiforgeryTokenSet GetAndStoreTokens(HttpContext httpContext) => new(string.Empty, string.Empty, AntiforgeryTokenFieldName, AntiforgeryTokenHeaderName);
    
        public AntiforgeryTokenSet GetTokens(HttpContext httpContext) => new(string.Empty, string.Empty, AntiforgeryTokenFieldName, AntiforgeryTokenHeaderName);
    
        public Task<bool> IsRequestValidAsync(HttpContext httpContext) => Task.FromResult(true);
    
        public void SetCookieTokenAndHeader(HttpContext httpContext)
        {
            return;
        }
    
        public Task ValidateRequestAsync(HttpContext httpContext) => Task.FromResult(true);
    }
    
Please Sign in or register to post replies

Write your reply to:

Draft