Meet the SharePoint FormDigest

By | 2014-01-24

Even as we move “forward” as SharePoint Community with SharePoint Apps, there is also still great value in Farm Solutions and the development we can do there.

One of the scenario’s we all implement is probably something like this:

Client application (browser) -> POST JSON data -> Custom WCF REST Service 
located in /_layouts/
-> Do something withSPList/SPListItem/SPWeb etc.

If so, did you receive the “The security validation for this page is invalid” error when you called the Update() on your object?

And did you start adding code like:

  • SPSecurity.RunWithElevatedPrivileges (MSDN)
  • SPWeb.AllowUnsafeUpdates = true;(MSDN)


There is a much better and nicer solution.

Step 1

Add the following (if it is not already present in your (application) Page header where you want to call your Web Service from:

Step 2

Next we are going to add a WebControl, I add this to my¬†ContentPlaceHolderID=”PlaceHolderMain”:

Step 3

As of now we have a hidden field in the html were SharePoint can store the FormDigest token. We then need to send this token with our ajax call to our Web Service:

Step 4

And now we can check the FormDigest inside our WebService logic:

Wrap-up or “uitsmijter”

I want to close with the reason to do this: to check if the call to our service is legit and not made through some XSS attack! If you do not do this properly SharePoint will throw the Exception “The security validation for this page is invalid.”

thanks for the info

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.