Protect uploads with antiforgery tokens. Set EnableAntiforgery="true"
to automatically include the ViewState validation token with upload requests,
preventing CSRF attacks. Use ViewStateUserKey in code-behind for
per-session token binding.
Drag & drop files here, or paste from clipboard
<%-- ASPX markup --%>
<au:AjaxFileUpload ID="Uploader1" runat="server"
AllowMultiple="true"
AutoUpload="true"
EnableAntiforgery="true"
ShowProgress="true" />
<%-- Code-behind: bind ViewStateUserKey per session --%>
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
ViewStateUserKey = Session.SessionID;
}
<%-- JavaScript API: pass the token in custom headers --%>
AjaxUploader.create(el, {
uploadUrl: '/ajaxupload.axd/upload',
headers: {
'X-AntiForgery-Token': document.getElementById(
'__VIEWSTATE'
).value
}
});
<%-- web.config: enable ViewState MAC validation --%>
<system.web>
<pages enableViewStateMac="true" />
</system.web>