ASP.NET ARMOR Web Framework

The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF) attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie. The ARMOR Web Framework provides a means to leverage this technique in repelling CSRF attacks against ASP.NET applications.

Click here for an in-depth tutorial on protecting ASP.NET applications from CSRF attacks using this framework. Image of ARMOR


PM> Install-Package Daishi.Armor.WebFramework

Sample Code

Generating Keys

ARMOR requires both encryption and hashing keys, in Base64 format. You can generate both keys using the code below.

Note: Key-generation, rotation, and management are out-of-band topics in terms of leveraging ARMOR.

byte[] encryptionKey = new byte[32];
byte[] hashingKey = new byte[32];
using (var provider = new RNGCryptoServiceProvider()) {

Adding Fortification Filters

Add the following filter to ASP.NET Web API applications

config.Filters.Add(new WebApiArmorFortifyFilter());

Add the following filter to ASP.NET MVC applications

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    filters.Add(new MvcArmorFortifyFilter());

Protecting your Endpoints

Add the following attribute to ASP.NET Web API endpoints


Add the following attribute to ASP.NET MVC endpoints


Integrating with your Authentication Mechanism

Assuming that your application leverages Claims-based authentication, ARMOR will automatically read the UserID claim as follows:

public override bool TryRead(out IEnumerable<Claim> identity) {
    var claims = new List<Claim>();
    identity = claims;
    var claimsIdentity = principal.Identity as ClaimsIdentity;
    if (claimsIdentity == null) return false;
    var subClaim = claimsIdentity.Claims.SingleOrDefault(c => c.Type.Equals(UserId));
    if (subClaim == null) return false;
    return true;

If your application leverages any other form of authentication mechanism, simply create your own implementation of IdentityReader and override the TryRead method appropriately in order to return the logged-in UserID in Claim-based format.

