Last Updated: 24 Aug 2022 14:25 by ADMIN
Created on: 14 Jul 2022 06:29
Category: Kendo UI for jQuery
Type: Bug Report
Missing Anti-CRSF tokens in kendo.all.min.js

Bug report

Missing Anti-CRSF tokens trigger security alerts when testing for security compliance with OWASP ZAP.

Reproduction of the problem

Current behavior

Expected/desired behavior


  • Kendo UI version: 2022.2.621
  • jQuery version: x.y
  • Browser: [all]
1 comment
Ivan Danchev
Posted on: 24 Aug 2022 14:25

Hello Dion,

After further investigation, the dev team decided that it is not viable to add Anti-CRSF tokens to the kendo.all.min.js, because Kendo UI is used in different environments, not only in .NET (e.g., MVC, Core). Thus adding tokens and covering all potential requests and environments, would require significant changes to the source code. In other words the lack of tokens is not due to an oversight on our part, instead they haven't been intended to be included in the source code.

Ivan Danchev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at