From ad3d736ccdea3a79739bbfe40de4c8f951739705 Mon Sep 17 00:00:00 2001
From: Luke Latham <1622880+guardrex@users.noreply.github.com>
Date: Mon, 7 Oct 2024 16:07:52 -0400
Subject: [PATCH] Remark on DP protection of persisted component state (#33806)

---
 aspnetcore/blazor/components/prerender.md                    | 2 ++
 aspnetcore/blazor/components/prerendering-and-integration.md | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/aspnetcore/blazor/components/prerender.md b/aspnetcore/blazor/components/prerender.md
index 74805c5461..d815b95384 100644
--- a/aspnetcore/blazor/components/prerender.md
+++ b/aspnetcore/blazor/components/prerender.md
@@ -114,6 +114,8 @@ When the component executes, `currentCount` is only set once during prerendering
 
 By initializing components with the same state used during prerendering, any expensive initialization steps are only executed once. The rendered UI also matches the prerendered UI, so no flicker occurs in the browser.
 
+The prerendered data sent to the client by the <xref:Microsoft.AspNetCore.Components.PersistentComponentState> service is protected by [ASP.NET Core Data Protection](xref:security/data-protection/introduction), so the state can't be read by a malicious user.
+
 ## Components embedded into pages and views (Razor Pages/MVC)
 
 For components embedded into a page or view of a Razor Pages or MVC app, you must add the [Persist Component State Tag Helper](xref:mvc/views/tag-helpers/builtin-th/persist-component-state-tag-helper) with the `<persist-component-state />` HTML tag inside the closing `</body>` tag of the app's layout. **This is only required for Razor Pages and MVC apps.** For more information, see <xref:mvc/views/tag-helpers/builtin-th/persist-component-state-tag-helper>.
diff --git a/aspnetcore/blazor/components/prerendering-and-integration.md b/aspnetcore/blazor/components/prerendering-and-integration.md
index 0f30f3fc95..a48b8f7329 100644
--- a/aspnetcore/blazor/components/prerendering-and-integration.md
+++ b/aspnetcore/blazor/components/prerendering-and-integration.md
@@ -920,6 +920,8 @@ else
 
 By initializing components with the same state used during prerendering, any expensive initialization steps are only executed once. The rendered UI also matches the prerendered UI, so no flicker occurs in the browser.
 
+The prerendered data sent to the client by the <xref:Microsoft.AspNetCore.Components.PersistentComponentState> service is protected by [ASP.NET Core Data Protection](xref:security/data-protection/introduction), so the state can't be read by a malicious user.
+
 :::zone pivot="webassembly"
 
 ## Additional Blazor WebAssembly resources