I am making use of DefaultAntiForgery in my Asp.Net Core application. I would like to enable ResponseCaching but getting this warning:
warn: Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery The 'Cache-Control' and 'Pragma' headers have been overridden
I added the [IgnoreAntiForgeryToken] on the method but still the same warning. Is there a way to do this without removing DefaultAntiForgery?
[ResponseCache(Duration = 86400, Location = ResponseCacheLocation.Any, NoStore = false)]
[IgnoreAntiforgeryToken]
public async Task<IActionResult> Index()
{
ViewData["SearchPlaceholder"] = "Search by Time";
return View();
}
According to the MS Document, the AddControllersWithViews must be called to have built-in antiforgery token support. Which is being used to protect it from CSRF attacks.
Under this circumstance, it's not advisable to combine the antiforgery with caching. If enable them at the same time, your request token is being stored and is in the risk of CSRF attacks. That's why VS shows the warning. Even you set it as IgnoreAntiforgeryToken, due to the risk, VS will still show the warning.
So, if you are not worry about being CSRF attacks, you can just ignore the warning. Otherwise you might be batter turning off the caching.