Should the AntiForgeryToken be applied to every post action?

Should the AntiForgeryToken be applied to every post action in an ASP.NET MVC application? Off the top of my head I can't think of any reason why you would not want to include this on every post action, but it seems that nobody ever actually recommen开发者_高级运维ds using it on all of your actions.

I'd love to hear your thoughts.

I always use it on POST/DELETE/PUT actions. I want to be as sure as I can that the request is coming from a page that my server sent to the browser when I'm changing data as a result.

Not adding an anti-forgery token to a form would require being completely sure there is no possibility of a cross site forgery (or other) attack. And that such attach will not be found in the future for that case.

On the other hand is there ever a significant disadvantage to having a token?

It seems to be that not doing it always will be more (mental) effort in finding those "no risk" cases.