AntiforgeryToken C# .NET - 400 Bad Request

[Eric-Rodrigues-Abib]

Select Topic Area

Question

Body

Hi everyone, Im trying to implement the antiforgery token in my C# .NET application and I have already made the Startup implementation but when I try to test any POST API, Im trying at this moment only at swagger, I get a 400 bad request. Im using the:
_ = services.AddControllersWithViews(options => options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute())); to add the autovalidate atribute on the controllers.

Also adding the X-XSRF-TOKEN in the headers of the request but always getting Bad request, but when I put [IgnoreAntiforgeryToken] Im able to try any type o Request.

There is somebody that could help or had the same "issue" and how had fixed? Searched a lot on the internet but everything I saw I have already did, getting out of ideas.

[puspah-ghimire]

Problem:
Swagger doesn't automatically generate or send the antiforgery token from a valid GET response, so when you test POST endpoints directly from Swagger, the request lacks a valid antiforgery token pair (cookie + header).

1. Antiforgery needs both:
   A cookie named by default as .AspNetCore.Antiforgery.*
   A header X-XSRF-TOKEN with the token value extracted from that cookie

2. Solution Options:

Option A: Skip Antiforgery for APIs (Recommended for APIs that are authenticated differently, e.g., via JWT)
If you're building APIs (especially for use with Swagger or frontend apps), don't use antiforgery tokens. Instead, protect endpoints with auth headers (like JWT):

services.AddControllers(); // no antiforgery token required

Or exclude API controllers:
[IgnoreAntiforgeryToken]
[ApiController]
[Route("api/[controller]")]
public class YourApiController : ControllerBase

Option B: Generate and use antiforgery tokens correctly
If you must use antiforgery tokens:

Get the token from a GET endpoint (which calls IAntiforgery.GetAndStoreTokens()):
[HttpGet]
public IActionResult GetCsrfToken([FromServices] IAntiforgery antiforgery)
{
var tokens = antiforgery.GetAndStoreTokens(HttpContext);
return Ok(new { token = tokens.RequestToken });
}

This sets the antiforgery cookie and returns the token.

In Swagger or Postman:
Send the token you received in the X-XSRF-TOKEN header
Ensure the .AspNetCore.Antiforgery.* cookie is also included

Quick Fix for Swagger Testing:
Since Swagger doesn't handle antiforgery tokens well by default, you can disable antiforgery for Swagger only:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseWhen(context => !context.Request.Path.StartsWithSegments("/swagger"), appBuilder =>
{
appBuilder.Use(next => context =>
{
if (HttpMethods.IsPost(context.Request.Method))
{
// apply antiforgery checks here
}
return next(context);
});
});

// other middleware

}

Or, apply [IgnoreAntiforgeryToken] on controller methods when testing.

Summary:

• Swagger doesn’t generate antiforgery tokens — either bypass antiforgery for Swagger testing or retrieve + include both cookie and header.
• For API-style controllers, it's often better to disable antiforgery and rely on other auth (JWT, OAuth).
• For MVC-style controllers (with views and forms), antiforgery is more appropriate.

[Eric-Rodrigues-Abib]

Hi Puspah, thanks for replying, im doing the right generation, im generating in both swagger and other API I have, and Im also adding the XSRF-TOKEN in the request header on the swagger and this is not working.

Saw this video: https://youtu.be/WbyNaW73D-M?si=HwSWVEu6n7Sqk7D4 and did the same as he and still can't being able to test it from swagger, didn't try testing with my front-end but I want to make sure everything goes fine with swagger.

The problem is that Im doing the right generation and also adding on the header of the request but I get 400 Bad Request while trying POST, PUT, DELETE requests.

[puspah-ghimire]

Hi Eric, thanks for the reply and extra info — I see you're already generating the token correctly and adding it in Swagger, which helps narrow it down.

One common issue (even if you add XSRF-TOKEN header) is that Swagger UI by default does not send the antiforgery cookie (.AspNetCore.Antiforgery.*) along with the request — and antiforgery checks require both the token in header and the corresponding cookie on the same request.

So even if you manually add the header, if the cookie is missing or not passed with the request (which usually happens in Swagger), the server will return 400.

A few options to try:

1️⃣ Test with browser + front-end — since the browser handles cookies automatically, this often works even if Swagger doesn't.

2️⃣ Use a tool like Postman — you can manually set both the cookie and header there and verify that your antiforgery setup works.

3️⃣ Swagger config workaround — if you want to test from Swagger, you would need to either:

Customize Swagger UI to support sending cookies

Or bypass antiforgery on Swagger routes for testing (as I showed earlier).

Summary: It’s likely not an issue in your antiforgery generation logic — it’s a limitation of Swagger testing with cookies. The real test would be to verify with your front-end or Postman where cookies flow correctly.

If you want, I can also share an example of customizing Swagger UI to send cookies if you'd like to go that route

[Eric-Rodrigues-Abib]

Yes, so, let me share you a snippet here:

options.AddSecurityDefinition(
                    "X-XSRF-TOKEN",
                    new OpenApiSecurityScheme
                    {
                        In = ParameterLocation.Header,
                        Description = "CSRF Token. Get this value from the XSRF-TOKEN.",
                        Name = "X-XSRF-TOKEN",
                        Type = SecuritySchemeType.ApiKey,
                        Scheme = "X-XSRF-TOKEN"
                    });
                options.AddSecurityRequirement(new OpenApiSecurityRequirement {
                {
                    new OpenApiSecurityScheme
                    {
                        Reference = new OpenApiReference
                        {
                            Type = ReferenceType.SecurityScheme,
                            Id = "X-XSRF-TOKEN",
                        },
                    }, Array.Empty<string>()
                }});

And this is how Im adding the token on each request at swagger, Im getting from the applications tab in google chrome developer mode and adding here. The token is being generated with both tags, .AspNetCore.Antiforgery.* and XSRF-TOKEN and so I get the value from the XSRF and add on the following piece of code I have shared that the code expects to be X-XSRF-TOKEN as I put on the cookie options header name. So here I can't see where the error could be, when I try any post request I see that in the header there is right there X-XSRF-TOKEN and its value being sent to the request. Once again, when adding the [IgnoreAntiforgeryToken] the POST request finally works, so this seems to be something related to the actual validation on it

[puspah-ghimire]

Hi Eric — thanks again for the details, now it's very clear what’s happening. 👍

Quick recap:

✅ You are sending the header X-XSRF-TOKEN
✅ The token generation is correct
🚫 Swagger UI is not sending the antiforgery cookie .AspNetCore.Antiforgery.*

And that’s why POST fails in Swagger — antiforgery validation on the server requires both the cookie + header, not just the header.

How to fix it in Swagger? — You need Swagger UI to send cookies.
In Swagger UI, this is controlled by:
withCredentials: true

Unfortunately, the default Swashbuckle Swagger UI for .NET does not enable this — you have to add it yourself when configuring Swagger UI.
Example: In your Program.cs or Startup.cs when calling UseSwaggerUI(), you can add:

app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");

// Enable sending cookies (required for antiforgery!)
c.ConfigObject.AdditionalItems["withCredentials"] = true;

});

Why this works:
withCredentials: true makes Swagger UI send cookies along with requests — without this, your antiforgery cookie never reaches the server, so validation fails.

Summary:

✅ Your antiforgery setup is correct
✅ Header is correct
🚫 Cookie is not sent by Swagger unless you set withCredentials: true

Once you add that — Swagger POST/PUT/DELETE should start working without needing [IgnoreAntiforgeryToken].

[Eric-Rodrigues-Abib]

This doesn't make sense at all, If I need to send on the request header I don't need to send as a cookie.

[puspah-ghimire]

Hi Eric — I get what you mean — but here’s why ASP.NET Core antiforgery does require both the header and the cookie, by design:

✅ The header (X-XSRF-TOKEN) proves that the client knows the token
✅ The cookie (.AspNetCore.Antiforgery.*) proves that the token belongs to that user session

ASP.NET Core antiforgery system always matches:

token in header == token in cookie

That’s how it protects against CSRF attacks — if only a header is sent (no cookie), the framework will reject the request with 400.

This is the reason it works in browsers (which send both automatically), but fails in Swagger UI (which by default sends only the header, not the cookie).

How can you confirm this?

Microsoft docs say this:

"For security, ASP.NET Core validates that the token received in the request header matches the antiforgery cookie stored on the client."

(See: Antiforgery in ASP.NET Core)

[Eric-Rodrigues-Abib]

So you mean I have to do this:

options.AddSecurityDefinition(
                    "X-XSRF-TOKEN",
                    new OpenApiSecurityScheme
                    {
                        In = ParameterLocation.Header,
                        Description = "CSRF Token. Get this value from the XSRF-TOKEN.",
                        Name = "X-XSRF-TOKEN",
                        Type = SecuritySchemeType.ApiKey,
                        Scheme = "X-XSRF-TOKEN"
                    });
                options.AddSecurityRequirement(new OpenApiSecurityRequirement {
                {
                    new OpenApiSecurityScheme
                    {
                        Reference = new OpenApiReference
                        {
                            Type = ReferenceType.SecurityScheme,
                            Id = "X-XSRF-TOKEN",
                        },
                    }, Array.Empty<string>()
                }});

do for the cookie as well? and send them both? and after trying an POST Request

[puspah-ghimire]

Hi Eric — here’s the full picture:

✅ You do NOT need to define the cookie in AddSecurityDefinition — that won’t make Swagger send cookies.

✅ You need to configure Swagger UI to send cookies — and that is done by setting:
//withCredentials: true

How to do this? — Depends on your Swashbuckle version:

🔹 For Swashbuckle.AspNetCore 6.x:
In your Program.cs or Startup.cs:

app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");

// Enable sending cookies (required for antiforgery!)
c.ConfigObject.AdditionalItems["withCredentials"] = true;

});

🔹 For Swashbuckle.AspNetCore 7.x (and above):
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");

// This replaces AdditionalItems in v7
c.WithCredentials();

});

Once you do this — now Swagger will send both:

✅ Your X-XSRF-TOKEN header (you already have this!)
✅ The .AspNetCore.Antiforgery.* cookie (withCredentials will cause Swagger UI to send it)

And then POST/PUT/DELETE will pass antiforgery validation

If you tell me which version you use — I can give you an exact working example .
(Also — you only need this for Swagger testing — in your frontend app this will already work fine.)

[Eric-Rodrigues-Abib]

So I already did this ConfigObject but didn't worked. Im current using 8.0 version I think.

[puspah-ghimire]

If you’re using Swashbuckle 8.x — then the old:
c.ConfigObject.AdditionalItems["withCredentials"] = true;

won’t work anymore — because in Swashbuckle 8.x, the API changed.

In Swashbuckle 8.x, you should now use:
c.WithCredentials();
That is the correct new API to enable withCredentials: true in Swagger UI.

So in short:

✅ You are doing everything right
✅ The reason ConfigObject didn’t work is because Swashbuckle 8.x no longer uses ConfigObject.AdditionalItems
✅ Just change it to .WithCredentials() — and then Swagger should send cookies correctly

[Eric-Rodrigues-Abib]

Tried to change to WithCredentials but no success, so maybe Im using another version, maybe 7 don't know

[puspah-ghimire]

Just check which Swashbuckle.AspNetCore version you are actually using — you can check in:
Your .csproj — look for:

Or in Visual Studio NuGet package manager (Installed tab)

[Eric-Rodrigues-Abib]

yeah, using 6.7

[puspah-ghimire]

So you’re using Swashbuckle.AspNetCore 6.7 — in this version, the correct way is:
`app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");

// This is how you enable withCredentials in 6.x versions
c.ConfigObject.AdditionalItems["withCredentials"] = true;

});
In Swashbuckle 6.x (including 6.7), WithCredentials() does NOT exist — you must use:c.ConfigObject.AdditionalItems["withCredentials"] = true;
`

Tip: Also make sure that when you call your POST request — your browser has the correct:
✅ .AspNetCore.Antiforgery.* cookie (visible in Application > Cookies tab)
✅ X-XSRF-TOKEN header (which you are already adding — good!)
Once both header + cookie are sent, POST / PUT / DELETE will work

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬