File: AntiforgeryOptions.cs
Web Access
Project: src\src\Antiforgery\src\Microsoft.AspNetCore.Antiforgery.csproj (Microsoft.AspNetCore.Antiforgery)
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
 
using Microsoft.AspNetCore.Http;
 
namespace Microsoft.AspNetCore.Antiforgery;
 
/// <summary>
/// Provides programmatic configuration for the antiforgery token system.
/// </summary>
public class AntiforgeryOptions
{
    private const string AntiforgeryTokenFieldName = "__RequestVerificationToken";
    private const string AntiforgeryTokenHeaderName = "RequestVerificationToken";
 
    private string _formFieldName = AntiforgeryTokenFieldName;
 
    private CookieBuilder _cookieBuilder = new CookieBuilder
    {
        SameSite = SameSiteMode.Strict,
        HttpOnly = true,
 
        // Check the comment on CookieBuilder for more details
        IsEssential = true,
 
        // Some browsers do not allow non-secure endpoints to set cookies with a 'secure' flag or overwrite cookies
        // whose 'secure' flag is set (http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-alone.html).
        // Since mixing secure and non-secure endpoints is a common scenario in applications, we are relaxing the
        // restriction on secure policy on some cookies by setting to 'None'. Cookies related to authentication or
        // authorization use a stronger policy than 'None'.
        SecurePolicy = CookieSecurePolicy.None,
    };
 
    /// <summary>
    /// The default cookie prefix, which is ".AspNetCore.Antiforgery.".
    /// </summary>
    public static readonly string DefaultCookiePrefix = ".AspNetCore.Antiforgery.";
 
    /// <summary>
    /// Determines the settings used to create the antiforgery cookies.
    /// </summary>
    /// <remarks>
    /// <para>
    /// If an explicit <see cref="CookieBuilder.Name"/> is not provided, the system will automatically generate a
    /// unique name that begins with <see cref="DefaultCookiePrefix"/>.
    /// </para>
    /// <list type="bullet">
    /// <item><description><see cref="CookieBuilder.SameSite"/> defaults to <see cref="SameSiteMode.Strict"/>.</description></item>
    /// <item><description><see cref="CookieBuilder.HttpOnly"/> defaults to <c>true</c>.</description></item>
    /// <item><description><see cref="CookieBuilder.IsEssential"/> defaults to <c>true</c>. The cookie used by the antiforgery system
    /// is part of a security system that is necessary when using cookie-based authentication. It should be
    /// considered required for the application to function.</description></item>
    /// <item><description><see cref="CookieBuilder.SecurePolicy"/> defaults to <see cref="CookieSecurePolicy.None"/>.</description></item>
    /// </list>
    /// </remarks>
    public CookieBuilder Cookie
    {
        get => _cookieBuilder;
        set => _cookieBuilder = value ?? throw new ArgumentNullException(nameof(value));
    }
 
    /// <summary>
    /// Specifies the name of the antiforgery token field that is used by the antiforgery system.
    /// </summary>
    public string FormFieldName
    {
        get => _formFieldName;
        set => _formFieldName = value ?? throw new ArgumentNullException(nameof(value));
    }
 
    /// <summary>
    /// Specifies the name of the header value that is used by the antiforgery system. If <c>null</c> then
    /// antiforgery validation will only consider form data.
    /// </summary>
    public string? HeaderName { get; set; } = AntiforgeryTokenHeaderName;
 
    /// <summary>
    /// Specifies whether to suppress the generation of X-Frame-Options header
    /// which is used to prevent ClickJacking. By default, the X-Frame-Options
    /// header is generated with the value SAMEORIGIN. If this setting is 'true',
    /// the X-Frame-Options header will not be generated for the response.
    /// </summary>
    public bool SuppressXFrameOptionsHeader { get; set; }
 
    /// <summary>
    /// Specifies whether to suppress load of antiforgery token from request body.
    /// </summary>
    public bool SuppressReadingTokenFromFormBody { get; set; }
}