Should the AntiForgeryToken be applied to every post action in an ASP.NET MVC application? Off the top of my head I can't think of any reason why you would not want to include this on every post action, but it seems that nobody ever actually recommends using it on all of your actions.
I'd love to hear your thoughts.
I always use it on POST/DELETE/PUT actions. I want to be as sure as I can that the request is coming from a page that my server sent to the browser when I'm changing data as a result.
Not adding an anti-forgery token to a form would require being completely sure there is no possibility of a cross site forgery (or other) attack. And that such attach will not be found in the future for that case.
On the other hand is there ever a significant disadvantage to having a token?
It seems to be that not doing it always will be more (mental) effort in finding those "no risk" cases.