CA5365: Do Not Disable HTTP Header Checking

Property Value
Rule ID CA5365
Title Do Not Disable HTTP Header Checking
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

Set EnableHeaderChecking to false.

Rule description

HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained in the header.

How to fix violations

Set EnableHeaderChecking to true. Or, remove the assignment to false because the default value is true.

When to suppress warnings

HTTP header continuations rely on headers spanning multiple lines and require new lines in them. If you need to use header continuations, you need to set the EnableHeaderChecking property to false. There is a performance impact from checking the headers. If you are certain you are already doing the right checks, turning off this feature can improve the performance of your application. Before you disable this feature, be sure you are already taking the right precautions in this area.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5365
// The code that's violating the rule is on this line.
#pragma warning restore CA5365

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5365.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

using System;
using System.Web.Configuration;

class TestClass
{
    public void TestMethod()
    {
        HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
        httpRuntimeSection.EnableHeaderChecking = false;
    }
}

Solution

using System;
using System.Web.Configuration;

class TestClass
{
    public void TestMethod()
    {
        HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
        httpRuntimeSection.EnableHeaderChecking = true;
    }
}