[Breaking change]: Minimal APIs consuming IFormFile or IFormFileCollection parameters require anti-forgery checks

[captainsafia]

Description

Minimal API endpoints that consume an IFormFile or IFormFileCollection will now be opted-in to requiring anti-forgery token validation using the new anti-forgery middleware.

Version

.NET 8 RC 1

Previous behavior

Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did not require anti-forgery validation.

New behavior

Minimal API endpoints that bound a parameter from the form via IFormFile or IFormFileCollection did require anti-forgery validation. An exception will be thrown at startup if the anti-forgery middleware is not registered for an API that defines these input types.

Type of breaking change

• [ ] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
• [ ] Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code may require source changes to compile successfully.
• [X] Behavioral change: Existing binaries may behave differently at run time.

Reason for change

Anti-forgery token validation is a recommended security precaution for APIs that consume data from a form.

Recommended action

Users can opt out of anti-forgery validation for specific endpoints by using the DisableAntiforgery method like so:

var app = WebApplication.Create();

app.MapPost("/", (IFormFile formFile) => ...)
  .DisableAntiforgery();

app.Run();

Affected APIs

None.