What kind of informations show when validation of AntiForgeryToken fails?

Question

I have public site with some forms.

Simple question:
What kind of informations should I show when validation of AntiForgeryToken fails?

Is it should be 404 (page not found), error or just ignore it and redirect to the home page?

Answer 1

You should return an appropriate status code. 404 means that the requested resource is not found which is not the case with anti forgery token validation failure.

403 Forbidden seems like a reasonable status code to return in this case. It means that the server understood the request but refused to fulfill it.