If you have pages that display information to the user then these should be GET
methods.
Examples of GET
s:-
- View Basket.
- Display user details form.
- Display product.
However, if a page makes changes to the database or makes a permanent change (e.g. submitting card details) then these should be POST
.
Examples of POST
s:-
- Page that is called when basket is saved/changed.
- Page that is called when user details are saved.
- Login.
- Logout (an easy one to miss - usually sites implement this as
GET
).
If your site is using the correct method for each action, then you should only need to implement CSRF protection for POST
methods. However, if you have accidentally used GET
where a POST
should have been used (e.g. logout), then a fix for this is to pass the CSRF token along the query string (e.g. www.example.com/UserAccount/Logout?token=12345
) - changing to a POST
though is recommended.
You would have to write your own code to validate the token in this case as ASP.NET MVC ValidateAntiForgeryToken
only works with POST
requests. See here for how to make ValidateAntiForgeryToken work with GET
.