In this article I will explain with an example, how to send AntiForgeryToken with AngularJS AJAX request in ASP.Net Core MVC.
The AntiForgeryToken is used to prevent cross-site request forgery (CSRF) attacks and this article will illustrate how to configure and use the AntiForgeryToken during AngularJS AJAX request in ASP.Net Core MVC.
Note: For beginners in ASP.Net Core MVC, please refer my article ASP.Net MVC Core Hello World Tutorial with Sample Program example.
Configuring the Anti-Forgery Token and JSON Serializer setting
The first step is to configure the Anti-Forgery Token and JSON Serializer settings in the Startup.cs file.
1. Open the Startup.cs class from the Solution Explorer window.
Sending AntiForgeryToken with AngularJS AJAX request in ASP.Net Core
2. Add the following namespace.
using Newtonsoft.Json.Serialization;
3. Then inside the ConfigureServices method, you will have to add the following code which will instruct the program to:
1. Use Newtonsoft JSON for serialization.
2. Add Anti-Forgery Token with specific name to the Form.
public void ConfigureServices(IServiceCollection services)
            .AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
    services.AddAntiforgery(o => o.HeaderName = "XSRF-TOKEN");
Following is a Model class named PersonModel with two properties i.e. Name and DateTime.
public class PersonModel
    /// Gets or sets Name.
    public string Name { get; set; }
    /// Gets or sets DateTime.
    public string DateTime { get; set; }
The Controller consists of two Action methods.
Action method for handling GET operation
Inside this Action method, simply the View is returned.
Action method for handling AngularJS AJAX operation
This Action method handles the AJAX call made from the AngularJS $http service in the View.
HttpPost: The HttpPost attribute which signifies that the method will accept Http Post requests.
ValidateAntiForgeryToken: The ValidateAntiForgeryToken attribute is used to prevent cross-site request forgery attacks.
Note: A cross-site request forgery is an attack is done by sending harmful script element, malicious command, or code from the user’s browser.
The object of PersonModel class is received as parameter and the Name property holds the value of the TextBox sent from the View.
Note: The FromBody attribute is used for model-binding the data sent from AngularJS $http service.
Finally, the Current DateTime of the Server is set into the DateTime property and the PersonModel object is returned to the View in JSON format.
public class HomeController : Controller
    public IActionResult Index()
        return View();
    public IActionResult AjaxMethod([FromBody] PersonModel person)
        person.DateTime = DateTime.Now.ToString();
        return Json(person);
The View HTML Markup consists of an HTML DIV to which ng-app and ng-controller AngularJS directives have been assigned.
Note: If you want to learn more about these directives, please refer my article Introduction to AngularJS.
The HTML DIV consists of an HTML TextBox and a Button. The Button has been assigned AngularJS ng-click directive. When the Button is clicked, the ButtonClick function is executed.
Note: If you want to learn more about ng-click directive, please refer my article AngularJS: Implement Button click event using ng-click directive example.
The Anti-Forgery Token has been added to View Page using the AntiForgeryToken function of the HTML Helper class.
Inside the ButtonClick function, the $http service is used to make an AJAX call to the Controller’s Action method.
The $http service has following properties and methods.
1. method – The method type of HTTP Request i.e. GET or POST.
2. url – URL of the Controller’s Action method.
3. datatype – The format of the data i.e. XML or JSON.
4. data – The parameters to be sent to the Controller’s Action method.
5. headers – List of headers to be specified for the HTTP Request.
The value of the Anti-Forgery Token is read from the Hidden Field added by the Html.AntiForgeryToken HTML Helper function and added to the headers property of $http service.
Event Handler
1. success – This event handler is triggered once the AJAX call is successfully executed.
2. error – This event handler is triggered when the AJAX call encounters an error.
The response from the AJAX call is received in JSON format inside the Success event handler of the $http service and the result is displayed using JavaScript Alert Message Box.
Note: If you want to learn more on displaying JavaScript alert with AngularJS, please refer my article AngularJS: Display (Show) JavaScript Alert box.
    Layout = null;
<!DOCTYPE html>
    <meta name="viewport" content="width=device-width" />
    <script type="text/javascript" src=""></script>
    <script type="text/javascript">
        var app = angular.module('MyApp', [])
        app.controller('MyController', function ($scope, $http, $window) {
            $scope.ButtonClick = function () {
                var antiForgeryToken = document.getElementsByName("__RequestVerificationToken")[0].value;
                var post = $http({
                    method: "POST",
                    url: "/Home/AjaxMethod",
                    dataType: 'json',
                    data: { name: $scope.Name },
                    headers: {
                        "Content-Type": "application/json",
                        "XSRF-TOKEN": antiForgeryToken
                post.success(function (data, status) {
                    $window.alert("Hello: " + data.Name + ".\nCurrent Date and Time: " + data.DateTime);
                post.error(function (data, status) {
    <div ng-app="MyApp" ng-controller="MyController">
        <input type="text" ng-model="Name" />
        <input type="button" value="Get Current Time" ng-click="ButtonClick()" />
Sending AntiForgeryToken with AngularJS AJAX request in ASP.Net Core