Changes to the /Data/Upload.ashx endpoint (X-CSRF-Token validation)

Hi everyone,

In order to improve account security we recently enabled X-CSRF-Token validation on the /Data/Upload.ashx endpoint on the Roblox Website.

Unfortunately this change may break custom scripts which were hitting this endpoint. To correct your scripts, if you get back a HTTP 403 response status code and a X-CSRF-Token header, retry the request with a X-CSRF-Token header set to the value you received.

The X-CSRF-Token request header value is a token that is short-lived and unique. When a request is sent to an API site and the X-CSRF-Token request header is invalid the request is rejected and the X-CSRF-Token response header is added with the short-lived token. If the requester passes browser security it can read the response header and send it back as the X-CSRF-Token request header value. If the requester does not pass browser security (i.e. CORS) they will not be able to resubmit the request with the proper token, and the API performs no action.

The Roblox Team


This topic was automatically opened after 14 minutes.

Why were developers notified after this script-breaking token was enabled? Could you of not provided at least a one-day notice?

Edit: I now understand the sudden switch as it is apparently a vulnerability.


I’m glad that the Roblox team is working on security on the APIs as a whole.

X-CSRF, while sometimes annoying from a developer’s perspective, helps prevent malicious sites from accessing the API.
The next step I hope your team takes to help protect the APIs is to stop the issue with rbx-authentication-ticket headers being used to access the ROBLOSECURITY token through JavaScript. This would put a stop to some cookie logging operations/sites and would help stop scams like this as a whole.

Thank you for keeping Roblox a safe and secure community. These changes may look small, especially to someone who doesn’t use the API, but slowly they help pave the way for a more secure space.


Definitely a good idea!

This will definitely be a nice addition to Roblox to take care of cross-site request forgery (if I understand this topic correctly).

I do have one question, though. Has this change been implemented for a couple of days now? Because I do recall getting HTTP 403 errors before this announcement.

Other than that, great job once again!


This token has been a thing on almost all POST requests to endpoints and this endpoint was one of the few odd ones out, so I think it shouldn’t have been a surprise that this was coming.

Our library wraps GET, POST, and other requests and handles them appropriately (plus handles X-CSRF) and I can imagine a lot of independent code and other libraries also have a function that handles this automatically and a change like this wouldn’t cause any issues.

1 Like

Yes. Most POST requests to Roblox API endpoints require X-CSRF to be handled. You can write a function that wraps your request library’s default POST that sends the request, grabs the X-CSRF out of the headers, and stores it for the next request, and then sends that POST again if it errored with a 403.

1 Like

This change broke the upload part of Rojo. Why were we not informed of this until after it had been flipped?


I have no idea what Upload.ashx is about, does anyone care to explain it to me in one or two sentences?


It is an endpoint used to upload assets.

so why weren’t us developers told about this before the update??

I’m posting too much in this thread, but it’s possible that if they revealed that they were adding extra security to an endpoint scammers and exploiters would jump to immediately use it while the security isn’t there yet. I can’t imagine this change would be something you could easily exploit in that way, but it’s possible.


I personally think that this was long overdue. While this may be annoying for developers that relied on this endpoint, it is a huge security improvement and Roblox does not have the best account security so this was kind of essential. Hopefully we can get more security improvements like this in the future such as improved 2-step verification that uses either an authenticator app or SMS to send a code.


I am glad that XSS and general security is being updated, because it really is nice to start feeling safe on Roblox again! Although this is a very sudden update and I feel like giving a notice would of been best. Also, do you think you will plan any other security updates to help stop other type of account hijacking methods(cookielogging via xjavascript, bruteforcing, etc.)?


It’s wonderful to see Roblox working on increasing their platform security on the APIs, however, I don’t understand why we’re being told this after you broke a LOT of scripts? It would have been amazing if we were told a week or so before hand so we could actually have enough time to get ready for the new update…


ikr… they should have told us before the update and before breaking many scripts

Let alone you now have issues with Rojo uploading causing complete issues with uploading updates and stuff…

ill have to agree on that… they should have given us a day or two to prepare…

In this case we didn’t want to draw attention to this vulnerability because it would likely lead to bad actors abusing it until we applied the fix. We are sad every time we have to break developer workflows and generally avoid it.


I’ve been stuck on this page for the past hour after uploading some bird sounds. Every page shows this:

The bird sound loop also got my alternate account a strike for some reason.

I work really long days to sustain a successful game and I need to stay productive. Lost hours like this are time that I could have spent with my family.