BstAntiForgery

Anti-forgery token validation and honeypot bot detection middleware for ASP.NET Core.

Target framework: net10.0
No external NuGet dependencies (framework reference to Microsoft.AspNetCore.App only)

Setup

1. Program.cs — register services

services.ConfigureAntiForgery(
    TimeSpan cookieTime,
    string cookieDomain,
    CookieSecurePolicy cookieSecure,
    string basePath = "");

Parameters:

cookieTime — anti-forgery cookie lifetime
cookieDomain — cookie Domain
cookieSecure — CookieSecurePolicy (Always / SameAsRequest / None)
basePath — optional; prefixes the cookie name as {basePath}_AntiForgery and sets the cookie Path

Hardcoded internals (not configurable):

form field name: validNameAntiBst
header name: X-CSRF-TOKEN
cookie SameSite: Strict
cookie marked essential

2. Program.cs — register middleware

Insert before MapControllers, after other middlewares but before redirect middlewares:

app.AddAntiForgery(bool useHoneyPot = true);

Always registers AntiForgeryMiddleware.
Registers HoneyPotMiddleware when useHoneyPot is true (default).

3. _ViewImports.cshtml

@addTagHelper *, BstAntiForgery

This enables the form tag helper that automatically injects a hidden honeypot field into every POST <form>.

4. Controller actions

Apply the standard Microsoft.AspNetCore.Mvc attribute to actions that should be validated:

[ValidateAntiForgeryToken]

Validation only runs when this attribute is present on the endpoint.

How it works

Anti-forgery middleware

Validates POST requests on endpoints decorated with [ValidateAntiForgeryToken].
On invalid token: returns a 302 redirect to the same URL.
GETs and unmarked endpoints pass through.

Honeypot middleware

The form tag helper injects a hidden input named validNamePotBst (hidden via inline style width:0; height:0; visibility:hidden;, no CSS framework required) into POST forms. GET forms and forms without an action are skipped.
On POST: if validNamePotBst has a non-empty value the request is treated as a bot and answered with a 302 redirect to the same URL.

Defaults reference

Item	Value
Form token field	`validNameAntiBst`
Header token	`X-CSRF-TOKEN`
Honeypot field	`validNamePotBst`
Honeypot hiding	inline `style="width:0; height:0; visibility:hidden;"`
Cookie `SameSite`	`Strict`
Cookie name	`{basePath}_AntiForgery` (or `AntiForgery` when `basePath` is empty)

Minimal example

Program.cs

builder.Services.ConfigureAntiForgery(
    cookieTime: TimeSpan.FromDays(1),
    cookieDomain: "example.com",
    cookieSecure: CookieSecurePolicy.Always);

var app = builder.Build();

// ... other middlewares ...
app.AddAntiForgery();
// ... redirect middlewares ...

app.MapControllers();
app.Run();

Views/_ViewImports.cshtml

@addTagHelper *, BstAntiForgery

Controller

[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Submit(MyModel model) { ... }

Razor form (honeypot field is injected automatically)

<form asp-action="Submit" method="post">
    <input asp-for="Name" />
    <button type="submit">Send</button>
</form>

No packages depend on BstAntiForgery.

.NET 10.0

No dependencies.

Version	Downloads	Last updated
10.0.2	0	04/05/2026
10.0.1	61	11/11/2025
9.0.4	19	20/10/2025
9.0.3	8	20/10/2025
9.0.2	8	15/10/2025
9.0.1	53	16/02/2025

BstAntiForgery 10.0.2

Readme