From c7badc2e44a84afdd67323089b52d05659b19cd0 Mon Sep 17 00:00:00 2001 From: mottykohn Date: Tue, 25 Jul 2017 16:07:02 -0400 Subject: [PATCH] Update preventing-cross-site-request-forgery-csrf-attacks.md (#3823) --- .../preventing-cross-site-request-forgery-csrf-attacks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks.md b/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks.md index f4c4808893..908b391627 100644 --- a/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks.md +++ b/aspnet/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks.md @@ -48,7 +48,7 @@ Here is an example of an HTML form with a hidden form token: [!code-html[Main](preventing-cross-site-request-forgery-csrf-attacks/samples/sample2.html)] -Anti-forgery tokens work because the malicious page cannot read the user's tokens, due to same-origin policies. ([Same-orgin policies](http://www.w3.org/Security/wiki/Same_Origin_Policy) prevent documents hosted on two different sites from accessing each other's content. So in the earlier example, the malicious page can send requests to example.com, but it cannot read the response.) +Anti-forgery tokens work because the malicious page cannot read the user's tokens, due to same-origin policies. ([Same-origin policies](http://www.w3.org/Security/wiki/Same_Origin_Policy) prevent documents hosted on two different sites from accessing each other's content. So in the earlier example, the malicious page can send requests to example.com, but it cannot read the response.) To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.