I decided in the end that as the post was made by a form rather than AJAX, the method should have been in a standard MVC controller rather that a WebAPI one. That way I could use the standard MVC Html.AntiForgeryToken
helper on the form and the ValidateAntiForgeryToken
attribute on the method.
CSRF protection for file upload posts
-
28-08-2022 - |
Pregunta
I have an angularJS application in which I use Angular's CSRF protection mechanism for all POST, PUT and other nonsafe web service calls. It works well except for one case: a multipart/form-data POST which uploads a file to the server.
In this case, as I am posting a form and file data directly to the web service, the angular $http service is not involved, and therefore does not append the CSRF header to the request in the way that it does with XHR requests.
I have a couple of questions:
- do I need to protect this POST against CSRF (I imagine I do)
- can I / how can I get Angular to add the CSRF header to the POST request?
Solución 2
Otros consejos
If you uploads a file to the server by means of XHR through jQuery, you can add default header:
$.ajaxSetup({
headers: {
"requestVerificationToken": myToken
}
});
Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow