In order to improve account security we recently enabled X-CSRF-Token validation on the /Data/Upload.ashx endpoint on the Roblox Website.
Unfortunately this change may break custom scripts which were hitting this endpoint. To correct your scripts, if you get back a HTTP 403 response status code and a X-CSRF-Token header, retry the request with a X-CSRF-Token header set to the value you received.
The X-CSRF-Token request header value is a token that is short-lived and unique. When a request is sent to an API site and the X-CSRF-Token request header is invalid the request is rejected and the X-CSRF-Token response header is added with the short-lived token. If the requester passes browser security it can read the response header and send it back as the X-CSRF-Token request header value. If the requester does not pass browser security (i.e. CORS) they will not be able to resubmit the request with the proper token, and the API performs no action.
The Roblox Team