Preventing CSRF With Ajax

You can try to apply the ValidateAntiForgeryTokenAttribute attribute to an action
method, but it will fail every time if you try to post JSON encoded data to the
action method. On one hand, the most secure action possible is one that rejects
every request. On the other hand, that’s a lousy user experience.


The problem lies in the fact that the under the hood, deep within the call
stack, the