It's much more secure to work in a whitelist approach where the default behavior of your application is to require all actions, and only allow anonymous access to APIs that explicitly allow it.

To set the implicit authentication requirement, we need to add an authentication filter to the request pipeline that is defined by the MVC infrastructure. This can be done by modifying the way we added MVC in the ConfigureServices method, as shown in the following code snippet:

// requires: using Microsoft.AspNetCore.Authorization;
// using Microsoft.AspNetCore.Mvc.Authorization;
services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
    config.Filters.Add(new AuthorizeFilter(policy));
});

The preceding code configures the request pipeline to include an authorization filter that is configured with a policy that requires the user to be authenticated in order to use any action that is not explicitly marked for anonymous access.