Minimal API endpoints that consume an IFormFile or IFormFileCollection will now be opted-in to requiring anti-forgery token validation using the new anti-forgery middleware.
Version
.NET 8 RC 1
Previous behavior
Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did not require anti-forgery validation.
New behavior
Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did require anti-forgery validation. An exception will be thrown at startup if the anti-forgery middleware is not registered for an API that defines these input types.
Type of breaking change
[ ] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
[ ] Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code may require source changes to compile successfully.
[X] Behavioral change: Existing binaries may behave differently at run time.
Reason for change
Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.
Recommended action
Users can opt out of anti-forgery validation for specific endpoints by using the DisableAntiforgery method like so:
Description
Minimal API endpoints that consume an
IFormFile
orIFormFileCollection
will now be opted-in to requiring anti-forgery token validation using the new anti-forgery middleware.Version
.NET 8 RC 1
Previous behavior
Minimal API endpoints that bound a parameter from the form via
IFormFile
orIFormFileCollection
did not require anti-forgery validation.New behavior
Minimal API endpoints that bound a parameter from the form via
IFormFile
orIFormFileCollection
did require anti-forgery validation. An exception will be thrown at startup if the anti-forgery middleware is not registered for an API that defines these input types.Type of breaking change
Reason for change
Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.
Recommended action
Users can opt out of anti-forgery validation for specific endpoints by using the
DisableAntiforgery
method like so:Affected APIs
None.