As you have seen, anti-XSRF helpers, as described previously, are quite useful, but they have several limitations. If a user does not accept cookies on their browser, their requests will be rejected by the controller action decorated with ValidateAntiForgeryToken. You also need to make sure that your application is safe from XSS threats; otherwise, the anti-forgery token can be read. You must be mindful as well that the anti-forgery token does not work with HTTP GET requests, but only works with HTTP POST requests.