UPD: Same question asked on security.stackexchange.com and the answer I got is different. Please follow there, to get the correct answer!
I'm running a rather large site with thousands of visits every day, and a rather large userbase.
Since I started migrating to MVC 3, I've been putting the AntiForgeryToken in a number of forms, that modify protected data etc.
Some other forms, like the login / registration also use the AntiForgeryToken now, but I'm becoming dubious about their need there in the first place, for a couple reasons...
There are possibly other reasons why would one use/not use the token in their forms.. Am I correct in assuming that using the token in every post form is bad / overkill, and if so - what kind of forms would benefit from it, and which ones would definitely NOT benefit?
Anti forgery tokens are useless in public parts of the site where users are not yet authenticated such as login and register forms. The way CSRF attack works is the following:
So you could use anti forgery tokens on authenticated parts of your site containing actions that could modify somehow the user state.
Remark: checking the Referer header for identifying that a request came from your site is not secure. Anyone can forge a request and spoof this header.