CA5395: Miss HttpVerb attribute for action methods

Property Value
Rule ID CA5395
Title Miss HttpVerb attribute for action methods
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

Not specifying the kind of HTTP request explicitly for action methods.

Rule description

All the action methods that create, edit, delete, or otherwise modify data needs to be protected with the antiforgery attribute from cross-site request forgery attacks. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data.

How to fix violations

Mark the action methods with HttpVerb attribute.

When to suppress warnings

It's safe to suppress warnings from this rule if:

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5395
// The code that's violating the rule is on this line.
#pragma warning restore CA5395

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5395.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

using Microsoft.AspNetCore.Mvc;

[ValidateAntiForgeryToken]
class BlahController : Controller
{
}

class ExampleController : Controller
{
    public IActionResult ExampleAction()
    {
        return null;
    }
}

Solution

using Microsoft.AspNetCore.Mvc;

[ValidateAntiForgeryToken]
class BlahController : Controller
{
}

class ExampleController : Controller
{
    [HttpGet]
    public IActionResult ExampleAction()
    {
        return null;
    }
}