Minimal APIs: IFormFile parameters require anti-forgery checks
Minimal API endpoints that consume an IFormFile or IFormFileCollection are now opted into requiring anti-forgery token validation using the new anti-forgery middleware.
Version introduced
ASP.NET Core 8.0 RC 1
Previous behavior
Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did not require anti-forgery validation.
New behavior
Minimal API endpoints that bind a parameter from the form via IFormFile or IFormFileCollection require anti-forgery validation. An exception is thrown at startup if the anti-forgery middleware isn't registered for an API that defines these input types.
Type of breaking change
This change is a behavioral change.
Reason for change
Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.
Recommended action
You can opt out of anti-forgery validation for specific endpoints by using the DisableAntiforgery<TBuilder>(TBuilder) method.
var app = WebApplication.Create();
app.MapPost("/", (IFormFile formFile) => ...)
.DisableAntiforgery();
app.Run();
Affected APIs
N/A
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for