CA5395: Miss HttpVerb attribute for action methods
Property | Value |
---|---|
Rule ID | CA5395 |
Title | Miss HttpVerb attribute for action methods |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Not specifying the kind of HTTP request explicitly for action methods.
All the action methods that create, edit, delete, or otherwise modify data needs to be protected with the antiforgery attribute from cross-site request forgery attacks. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data.
Mark the action methods with HttpVerb
attribute.
It's safe to suppress warnings from this rule if:
- You're sure that no modifying operation is taking place in the action method. Or, it's not an action method at all.
- Solutions other than using antiforgery token attributes are adopted to mitigate CSRF vulnerabilities. For more information, see Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5395
// The code that's violating the rule is on this line.
#pragma warning restore CA5395
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5395.severity = none
For more information, see How to suppress code analysis warnings.
using Microsoft.AspNetCore.Mvc;
[ValidateAntiForgeryToken]
class BlahController : Controller
{
}
class ExampleController : Controller
{
public IActionResult ExampleAction()
{
return null;
}
}
using Microsoft.AspNetCore.Mvc;
[ValidateAntiForgeryToken]
class BlahController : Controller
{
}
class ExampleController : Controller
{
[HttpGet]
public IActionResult ExampleAction()
{
return null;
}
}
.NET feedback
.NET is an open source project. Select a link to provide feedback: