Minimal APIs: IFormFile parameters require anti-forgery checks

Article
12/07/2023

Minimal API endpoints that consume an IFormFile or IFormFileCollection are now opted into requiring anti-forgery token validation using the new anti-forgery middleware.

Version introduced

ASP.NET Core 8.0 RC 1

Previous behavior

Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did not require anti-forgery validation.

New behavior

Minimal API endpoints that bind a parameter from the form via IFormFile or IFormFileCollection require anti-forgery validation. An exception is thrown at startup if the anti-forgery middleware isn't registered for an API that defines these input types.

Type of breaking change

This change is a behavioral change.

Reason for change

Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.

Recommended action

You can opt out of anti-forgery validation for specific endpoints by using the DisableAntiforgery<TBuilder>(TBuilder) method.

var app = WebApplication.Create();

app.MapPost("/", (IFormFile formFile) => ...)
  .DisableAntiforgery();

app.Run();

Affected APIs

N/A

Share via