Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Minimal API endpoints that consume an IFormFile or IFormFileCollection are now opted into requiring anti-forgery token validation using the new anti-forgery middleware.
Version introduced
ASP.NET Core 8.0 RC 1
Previous behavior
Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did not require anti-forgery validation.
New behavior
Minimal API endpoints that bind a parameter from the form via IFormFile or IFormFileCollection require anti-forgery validation. An exception is thrown at startup if the anti-forgery middleware isn't registered for an API that defines these input types.
Type of breaking change
This change is a behavioral change.
Reason for change
Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.
Recommended action
You can opt out of anti-forgery validation for specific endpoints by using the DisableAntiforgery<TBuilder>(TBuilder) method.
var app = WebApplication.Create();
app.MapPost("/", (IFormFile formFile) => ...)
.DisableAntiforgery();
app.Run();
Affected APIs
N/A
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
