Skip to content

DevExpress-Examples/asp-net-core-dashboard-antiforgery

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

CS

CS

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

config.json

config.json

 
 

readme.md

readme.md

 
 

Repository files navigation

BI Dashboard for ASP.NET Core - How to Prevent Cross-Site Request Forgery (CSRF) Attacks

The following example applies antiforgery request validation to the DevExpress ASP.NET Core Dashboard control.

Example Overview

Follow the steps below to apply antiforgery request validation.

Configure a custom dashboard controller

  1. Create a custom dashboard controller. If you already have a custom controller, you can skip this step.
namespace AspNetCoreDashboardPreventCrossSiteRequestForgery.Controllers {
    public class CustomDashboardController : DashboardController {
        public CustomDashboardController(CustomDashboardConfigurator configurator, IDataProtectionProvider dataProtectionProvider = null): base(configurator, dataProtectionProvider) { 
        }
    }    
}
  1. Change default routing to use the created controller.
app.UseEndpoints(endpoints => {
	endpoints.MapDashboardRoute("dashboardControl", "CustomDashboard");
	// ...
});
  1. Specify the controller name in the Web Dashboard settings.
@(Html.DevExpress().Dashboard("dashboardControl1")
     ...
    .ControllerName("CustomDashboard")
)

Add validation for AntiforgeryToken

  1. Add the Antiforgery service.
services.AddAntiforgery(options => {
	// Set Cookie properties using CookieBuilder properties†.
	options.FormFieldName = "X-CSRF-TOKEN";
	options.HeaderName = "X-CSRF-TOKEN";
	options.SuppressXFrameOptionsHeader = false;
});
  1. Add the AutoValidateAntiforgeryToken attribute to the custom controller.
[AutoValidateAntiforgeryToken]
public class CustomDashboardController : DashboardController {
	// ...
}
  1. Configure the Web Dashboard control's backend options.
@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
 
@(Html.DevExpress().Dashboard("dashboardControl1")
    ...
    .ControllerName("CustomDashboard")
    .BackendOptions(backendOptions => {
        backendOptions.RequestHttpHeaders(headers => {
            headers.Add("X-CSRF-TOKEN", Xsrf.GetAndStoreTokens(HttpContext).RequestToken);
        });
    })
)

Files to Review

Documentation

More Examples

About

How to apply antiforgery request validation to the ASP.NET Core Dashboard control.

Topics

business-intelligence csrf asp-net-core csrf-protection csrf-tokens web-dashboard csrf-attacks antiforgery dashboard-for-asp-net-core

Resources

Readme

License

View license
Activity
Custom properties

Stars

1 star

Watchers

54 watching

Forks

0 forks
Report repository

Contributors 5

Languages