Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion aspnetcore/migration/100-to-110.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11
author: wadepickett
description: Learn how to migrate an ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11.
ms.author: wpickett
ms.date: 06/09/2026
ms.date: 07/10/2026
uid: migration/100-to-110
---
# Migrate from ASP.NET Core in .NET 10 to ASP.NET Core in .NET 11
Expand Down Expand Up @@ -73,6 +73,10 @@ In the project file, update each [`Microsoft.AspNetCore.*`](https://www.nuget.or

[!INCLUDE[](~/migration/100-to-110/includes/blazor.md)]

## Security

[!INCLUDE[](~/migration/100-to-110/includes/security.md)]

## Breaking changes

Use the articles in [Breaking changes in .NET](/dotnet/core/compatibility/breaking-changes) to find breaking changes that might apply when upgrading an app to a newer version of .NET.
13 changes: 13 additions & 0 deletions aspnetcore/migration/100-to-110/includes/security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
### Adopt automatic CSRF protection

.NET 11 adds an automatic Cross-Site Request Forgery (CSRF) protection middleware that's enabled by default in apps built with `WebApplication.CreateBuilder`. The middleware inspects the `Sec-Fetch-Site` and `Origin` headers on unsafe HTTP methods and records a validation verdict on the request. Form-consuming components — MVC actions, minimal API form binding, and Blazor server-side rendering (SSR) form posts — enforce that verdict and return `400 Bad Request` for cross-origin form posts that aren't trusted.

Depending on how your app uses antiforgery today:

* **If the app calls `AddAntiforgery()` and `UseAntiforgery()` explicitly:** consider dropping both calls and relying on the automatic CSRF protection instead. For most apps this is a one-line change and doesn't require any other code updates. The token-based system remains available if you still need it — see <xref:migration/antiforgery-to-csrf> for the trade-offs.
* **If the app doesn't configure antiforgery explicitly:** you now get CSRF protection automatically. Same-origin browser traffic, safe HTTP methods, and non-browser clients such as `curl`, mobile apps, and server-to-server callers pass through unchanged. No action is required.

To opt an endpoint out, call `.DisableAntiforgery()` on it. To allow a specific cross-origin browser client, configure [CORS](xref:security/cors) so the endpoint's resolved policy trusts the caller's origin; the CSRF middleware honors that policy.

For a full description of the middleware, the validation rules, and how it interacts with the token-based antiforgery system, see <xref:security/csrf-protection>.

Loading