CSRF protection for file upload posts

Question

I have an angularJS application in which I use Angular's CSRF protection mechanism for all POST, PUT and other nonsafe web service calls. It works well except for one case: a multipart/form-data POST which uploads a file to the server.

In this case, as I am posting a form and file data directly to the web service, the angular $http service is not involved, and therefore does not append the CSRF header to the request in the way that it does with XHR requests.

I have a couple of questions:

• do I need to protect this POST against CSRF (I imagine I do)
• can I / how can I get Angular to add the CSRF header to the POST request?

Answer 1

I decided in the end that as the post was made by a form rather than AJAX, the method should have been in a standard MVC controller rather that a WebAPI one. That way I could use the standard MVC Html.AntiForgeryToken helper on the form and the ValidateAntiForgeryToken attribute on the method.

Answer 2

If you uploads a file to the server by means of XHR through jQuery, you can add default header:

$.ajaxSetup({
    headers: {
        "requestVerificationToken": myToken
    }
});