For ajax request, you need to explicitly send Verification token to the controller action that decorated with [ValidateAntiForgeryToken] attribute.
1. Make sure have the form tag defined in your view, this will generate the HTML components for the token
<form asp-action="AddComment">
2. Add beforeSend event for your ajax call, and send the token with your request header
$.ajax({
type: 'POST',
url: '/Posts/AddComment',
data: JSON.stringify(comment),
contentType: "application/json; charset=utf-8",
dataType: "json",
beforeSend: function (xhr) {
xhr.setRequestHeader("XSRF-TOKEN",
$('input:hidden[name="__RequestVerificationToken"]').val());
},
3. Add following code to ConfigureServices(IServiceCollection services) method in Startup.cs
services.AddAntiforgery(o => o.HeaderName = "XSRF-TOKEN");
4. Add [ValidateAntiForgeryToken] attribute to the top of your HttpPost controller action
This is a good article "Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core"
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2
