It is recommended to use a hidden HTML field to persist a token for a specific user, which is usually generated from the origin server, and then verify that the submitted token is valid. You can use a user's session or an HTTP cookie to keep the token that was generated, for later retrieval.

In ASP.NET Core MVC, short for Model View Controller, you can verify requests by creating a token for a specific user that is passed between the view and the controller. If the token is not the same, this is potentially an XSRF/CSRF attack and you can make provisions not to allow the request to continue. All this, as described, can be achieved by using an HTML helper that is available from within ASP.NET Core MVC, which is @Html.AntiForgeryToken(), used in a form that needs to be submitted and this is in the views section. For every request, this helper will add a hidden field named RequestVerificationToken with a token from the view that needs to be verified by the controller.

This approach requires that the corresponding controller works in sync to make sure that it understands that the form data it is receiving contains an anti-forgery token. This is done by decorating the specific action in the controller with the ValidateAntiForgeryToken attribute. This attribute confirms that the HTTP request contains both a cookie value and the hidden form field, as mentioned previously, and verifies that these values are the same.