How can I set the ValidateAntiForgeryToken globally

Question

Security at first.

MVC best practices reccomend to add the [ValidateAntiForgeryToken] attribute to each [HttpPost] action.

How can

Answer 1

The follwing class allow to do this with a FilterProvider

public IEnumerable GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
{
    List result = new List();

    string incomingVerb = controllerContext.HttpContext.Request.HttpMethod;

    if (String.Equals(incomingVerb, "POST", StringComparison.OrdinalIgnoreCase))
    {
        result.Add(new Filter(new ValidateAntiForgeryTokenAttribute(), FilterScope.Global, null));
    }

    return result;
}

To use the above class add this to the RegisterGlobalFilters method in global.asx file:

...    
FilterProviders.Providers.Add(new AntiForgeryTokenFilterProvider ());
..

Doing this, each [HttpPost] will check if the Html.AntiForgeryToken() is in the view.