What the difference between [FromForm] and [FromBody] in Asp.Net Core

Question

What the difference between [FromForm] and [FromBody] in Asp.Net Core. I will use one of them for post method. If I use FromForm, can it occur be a security problem?

Answer 1

The FromForm attribute is for incoming data from a submitted form sent by the content type application/x-www-url-formencoded while the FromBody will parse the model the default way, which in most cases are sent by the content type application/json, from the request body.

For security problem , you could use ValidateAntiForgeryToken Attribute for post method which specifies that the class or method that this attribute is applied validates the anti-forgery token. If the anti-forgery token is not available, or if the token is invalid, the validation will fail and the action method will not execute.

The anti-forgery token found in MVC is a way to prevent cross site request forgery (CSRF) attacks. Without going into too much detail, a CSRF attack occurs when a user visits an untrusted site and enters some information that is then posted back to a site to which the user has already authenticated.

You could refer to the following link on how AntiForgeryToken() actually works:

http://blog.at-dot.net/archive/2014/05/13/mvc-what-is-html-dot-antiforgerytoken-and-how-does-it-actually-work/#targetText=The%20anti%2Dforgery%20token%20found,the%20user%20has%20already%20authenticated.