2026-07-17 aspnetcoredotnet-11security ASP.NET Core 11 Preview 6 turns on automatic CSRF protection Preview 6 rejects unsafe cross-origin browser requests by default, reading the Sec-Fetch-Site header instead of an antiforgery token. Here is what it blocks and how to opt out.