From f805ab8a0046c4058932f35cf25099d53be6864e Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Fri, 10 Jul 2026 09:52:17 +0200 Subject: [PATCH 1/2] Mention automatic CSRF protection in .NET 10 -> 11 migration article Adds a short "Security" section pointing readers at and . Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- aspnetcore/migration/100-to-110.md | 6 +++++- aspnetcore/migration/100-to-110/includes/security.md | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 aspnetcore/migration/100-to-110/includes/security.md diff --git a/aspnetcore/migration/100-to-110.md b/aspnetcore/migration/100-to-110.md index b3b84cc3a065..1dfc5a4b9b7a 100644 --- a/aspnetcore/migration/100-to-110.md +++ b/aspnetcore/migration/100-to-110.md @@ -3,7 +3,7 @@ title: Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11 author: wadepickett description: Learn how to migrate an ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11. ms.author: wpickett -ms.date: 06/09/2026 +ms.date: 07/10/2026 uid: migration/100-to-110 --- # Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11 @@ -73,6 +73,10 @@ In the project file, update each [`Microsoft.AspNetCore.*`](https://www.nuget.or [!INCLUDE[](~/migration/100-to-110/includes/blazor.md)] +## Security + +[!INCLUDE[](~/migration/100-to-110/includes/security.md)] + ## Breaking changes Use the articles in [Breaking changes in .NET](/dotnet/core/compatibility/breaking-changes) to find breaking changes that might apply when upgrading an app to a newer version of .NET. diff --git a/aspnetcore/migration/100-to-110/includes/security.md b/aspnetcore/migration/100-to-110/includes/security.md new file mode 100644 index 000000000000..d1a05f89d110 --- /dev/null +++ b/aspnetcore/migration/100-to-110/includes/security.md @@ -0,0 +1,10 @@ +### Adopt automatic CSRF protection + +.NET 11 adds an automatic Cross-Site Request Forgery (CSRF) protection middleware that's enabled by default in apps built with `WebApplication.CreateBuilder`. The middleware inspects the `Sec-Fetch-Site` and `Origin` headers on unsafe HTTP methods and records a validation verdict on the request. Form-consuming components — MVC actions, minimal API form binding, and Blazor server-side rendering (SSR) form posts — enforce that verdict and return `400 Bad Request` for cross-origin form posts that aren't trusted. + +Most apps aren't affected: same-origin browser traffic, safe HTTP methods, and non-browser clients such as `curl`, mobile apps, and server-to-server callers pass through unchanged. Apps that accept **cross-origin form posts from a browser** — for example, a site at `https://app.contoso.com` posting a form to an API at `https://api.contoso.com` — need to either: + +* Configure [CORS](xref:security/cors) so the API's resolved policy trusts the caller's origin, or +* Opt the endpoint out by calling `.DisableAntiforgery()` on the endpoint. + +For a full description of the middleware, how the verdict is computed, and how it interacts with the token-based antiforgery system, see . Apps that use the token-based antiforgery system today can also review for guidance on whether to keep or drop token validation. From 30dcbdcbad24ccb1d4780ffbe9ef80ccc2dabdd8 Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Fri, 10 Jul 2026 09:59:39 +0200 Subject: [PATCH 2/2] Restructure security include by usage scenario Splits the guidance into "already uses AddAntiforgery/UseAntiforgery" vs "doesn't configure antiforgery explicitly", then covers opt-out and CORS in a single follow-up paragraph. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- aspnetcore/migration/100-to-110/includes/security.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/aspnetcore/migration/100-to-110/includes/security.md b/aspnetcore/migration/100-to-110/includes/security.md index d1a05f89d110..97c741f160ed 100644 --- a/aspnetcore/migration/100-to-110/includes/security.md +++ b/aspnetcore/migration/100-to-110/includes/security.md @@ -2,9 +2,12 @@ .NET 11 adds an automatic Cross-Site Request Forgery (CSRF) protection middleware that's enabled by default in apps built with `WebApplication.CreateBuilder`. The middleware inspects the `Sec-Fetch-Site` and `Origin` headers on unsafe HTTP methods and records a validation verdict on the request. Form-consuming components — MVC actions, minimal API form binding, and Blazor server-side rendering (SSR) form posts — enforce that verdict and return `400 Bad Request` for cross-origin form posts that aren't trusted. -Most apps aren't affected: same-origin browser traffic, safe HTTP methods, and non-browser clients such as `curl`, mobile apps, and server-to-server callers pass through unchanged. Apps that accept **cross-origin form posts from a browser** — for example, a site at `https://app.contoso.com` posting a form to an API at `https://api.contoso.com` — need to either: +Depending on how your app uses antiforgery today: -* Configure [CORS](xref:security/cors) so the API's resolved policy trusts the caller's origin, or -* Opt the endpoint out by calling `.DisableAntiforgery()` on the endpoint. +* **If the app calls `AddAntiforgery()` and `UseAntiforgery()` explicitly:** consider dropping both calls and relying on the automatic CSRF protection instead. For most apps this is a one-line change and doesn't require any other code updates. The token-based system remains available if you still need it — see for the trade-offs. +* **If the app doesn't configure antiforgery explicitly:** you now get CSRF protection automatically. Same-origin browser traffic, safe HTTP methods, and non-browser clients such as `curl`, mobile apps, and server-to-server callers pass through unchanged. No action is required. + +To opt an endpoint out, call `.DisableAntiforgery()` on it. To allow a specific cross-origin browser client, configure [CORS](xref:security/cors) so the endpoint's resolved policy trusts the caller's origin; the CSRF middleware honors that policy. + +For a full description of the middleware, the validation rules, and how it interacts with the token-based antiforgery system, see . -For a full description of the middleware, how the verdict is computed, and how it interacts with the token-based antiforgery system, see . Apps that use the token-based antiforgery system today can also review for guidance on whether to keep or drop token validation.