Are pages generated by ASP.NET MVC 4 Beta templates safe against Cross-Site Request Forgery?
Specifically, are the "Edit" view and controller action generated by the "Controller with read/write actions and views, using EntityFramework" protected against CSRF?
Examining the HTML code generated by the Edit form, I can't see a hidden field or another way to implement an anti-forgery token.
Am I missing something or is the default example unsafe?
Best Answer
You need to explicitly implement the anti forgery token.
In the view:
In the controller
You can always create custom T4 templates to generate this for you, but no, the out-of-the-box templates do not do this by default.