(mvc) csrf protection, not very likely to hit in normal situations, but when using legacy free applications, there might not be a csrf token leading to a denial of all requests.