diff --git a/aspnetcore/migration/100-to-110.md b/aspnetcore/migration/100-to-110.md index b3b84cc3a065..1dfc5a4b9b7a 100644 --- a/aspnetcore/migration/100-to-110.md +++ b/aspnetcore/migration/100-to-110.md @@ -3,7 +3,7 @@ title: Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11 author: wadepickett description: Learn how to migrate an ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11. ms.author: wpickett -ms.date: 06/09/2026 +ms.date: 07/10/2026 uid: migration/100-to-110 --- # Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11 @@ -73,6 +73,10 @@ In the project file, update each [`Microsoft.AspNetCore.*`](https://www.nuget.or [!INCLUDE[](~/migration/100-to-110/includes/blazor.md)] +## Security + +[!INCLUDE[](~/migration/100-to-110/includes/security.md)] + ## Breaking changes Use the articles in [Breaking changes in .NET](/dotnet/core/compatibility/breaking-changes) to find breaking changes that might apply when upgrading an app to a newer version of .NET. diff --git a/aspnetcore/migration/100-to-110/includes/security.md b/aspnetcore/migration/100-to-110/includes/security.md new file mode 100644 index 000000000000..97c741f160ed --- /dev/null +++ b/aspnetcore/migration/100-to-110/includes/security.md @@ -0,0 +1,13 @@ +### Adopt automatic CSRF protection + +.NET 11 adds an automatic Cross-Site Request Forgery (CSRF) protection middleware that's enabled by default in apps built with `WebApplication.CreateBuilder`. The middleware inspects the `Sec-Fetch-Site` and `Origin` headers on unsafe HTTP methods and records a validation verdict on the request. Form-consuming components — MVC actions, minimal API form binding, and Blazor server-side rendering (SSR) form posts — enforce that verdict and return `400 Bad Request` for cross-origin form posts that aren't trusted. + +Depending on how your app uses antiforgery today: + +* **If the app calls `AddAntiforgery()` and `UseAntiforgery()` explicitly:** consider dropping both calls and relying on the automatic CSRF protection instead. For most apps this is a one-line change and doesn't require any other code updates. The token-based system remains available if you still need it — see for the trade-offs. +* **If the app doesn't configure antiforgery explicitly:** you now get CSRF protection automatically. Same-origin browser traffic, safe HTTP methods, and non-browser clients such as `curl`, mobile apps, and server-to-server callers pass through unchanged. No action is required. + +To opt an endpoint out, call `.DisableAntiforgery()` on it. To allow a specific cross-origin browser client, configure [CORS](xref:security/cors) so the endpoint's resolved policy trusts the caller's origin; the CSRF middleware honors that policy. + +For a full description of the middleware, the validation rules, and how it interacts with the token-based antiforgery system, see . +