How to protect against CSRF by default in ASP.NET MVC 4?

Question

Is there a way to ensure ASP.NET MVC 4 forms are protected against CSRF by default?

For instance, is there a way to have AntiForgeryToken automatically

Answer 1

One way to do it would be to modify the T4 templates in ASP.NET MVC that create forms, to have them insert this code automatically:

<% using(Html.Form("UserProfile", "SubmitUpdate")) { %>
    <%= Html.AntiForgeryToken() %>
    
<% } %>

And of course, you need the corresponding attribute on the controller method:

[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
    // ... etc
}

It's really not that difficult to retrofit an application in this manner, unless it's unusually large. The last application I wrote in MVC would probably take me a couple of hours to retrofit.