Why we need to use @Html.AntiForgeryToken()? I searched but I didn't get satisfactory answer.

This is a security feature to help protect your application against cross-site request forgery.

Example:

Let's assume you have a register functionality in your web app. You have an AccountController (example.com/account/register) where you expect people to submit their info. Normally before someone posts the registration information needs to visit the actual (example.com/account/register) than submit the form.

Let say I am a bad guy and I want to flood your server with junk info all I need to do is just keep posting directly to (example.com/account/register) without visiting your site. So in order to stop me you implement AntiForgeryToken so you can make it sure I visited the page before I submitted the registration information.

Another example is http://www.binaryintellect.net/articles/20e546b4-3ae9-416b-878e-5b12434fe7a6.aspx.

This is to prevent Cross-site request forgery in your MVC application. This is part of the OWASP Top 10 and it is vital in terms of web security. Using the @Html.AntiforgeryToken() method will generate a token per every request so then no one can forge a form post.

What is the use of @Html.AntiForgeryToken()?

Live - Scenario :

Suppose, you are logged into your bank account and are going to transfer some money to your friend. A hacker knows that you are logged in and also knows the URL of the money transfer submission. Suddenly, you get an email and check it. You see an image and by mistake, you click on that. Then, after a minute or so, you get another message that some amount has been deducted from your account. Actually, that image had been sent by the hacker and behind that image a URL has been submitted on your click.

So that we use AntiForgeryToken() in application prevent from hackers.

Antiforgery() is for stopping robotic fill up of any forms. Which will stop adding data without getting into the form

AntiForgeryToken is a security token generated by the .Net Core web application, which is used to validate a post request to guard against Cross-Site Request. AntiforgeryToken used for validating the post request. So if we access an MVC or RazorPages view which contains the form element with an attribute 'method="post"' then the view gets rendered with an automatic generated AntiforgertyToken value, which gets injected into the form as hidden input field.

The explanation above is partial.

A malicious actor could potentially flood your server by directly posting to your register page, and there's no direct prevention for this.

The AntiforgeryToken directive causes the server to send a cookie with a token and a form field with another token. These tokens, present in the cookie and form field, are interconnected through encryption. Upon form submission, both values must be validated and matched using a specific encryption mechanism. If they match, the post request is processed by the framework, otherwise it's rejected.

The principle is that even if a malicious actor can force a client browser to send a request with a valid cookie (via phishing, emails, etc) and some bad form data (i.e. accountIds, amounts, etc), the hidden form value remains unknown and impossible to predict. So values from cookie and hidden field arriving at the server mismatch - and a hacker is unhappy -).