CA3147: Mark verb handlers with ValidateAntiForgeryToken

Property	Value
Rule ID	CA3147
Title	Mark verb handlers with ValidateAntiForgeryToken
Category	Security
Fix is breaking or non-breaking	Non-breaking
Enabled by default in .NET 9	No

Cause

An ASP.NET MVC controller action method isn't marked with ValidateAntiForgeryTokenAttribute, or an attribute specifying the HTTP verb, such as HttpGetAttribute or AcceptVerbsAttribute.

Rule description

When designing an ASP.NET MVC controller, be mindful of cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET MVC controller. For more information, see XSRF/CSRF prevention in ASP.NET MVC and web pages.

This rule checks that ASP.NET MVC controller action methods either:

• Have the ValidateAntiforgeryTokenAttribute and specify allowed HTTP verbs, not including HTTP GET.

• Specify HTTP GET as an allowed verb.

How to fix violations

• For ASP.NET MVC controller actions that handle HTTP GET requests and don't have potentially harmful side effects, add an HttpGetAttribute to the method.

  If you have an ASP.NET MVC controller action that handles HTTP GET requests and has potentially harmful side effects such as modifying sensitive data, then your application is vulnerable to cross-site request forgery attacks. You'll need to redesign your application so that only HTTP POST, PUT, or DELETE requests perform sensitive operations.

• For ASP.NET MVC controller actions that handle HTTP POST, PUT, or DELETE requests, add ValidateAntiForgeryTokenAttribute and attributes specifying the allowed HTTP verbs (AcceptVerbsAttribute, HttpPostAttribute, HttpPutAttribute, or HttpDeleteAttribute). Additionally, you need to call the HtmlHelper.AntiForgeryToken() method from your MVC view or Razor web page. For an example, see Examining the edit methods and edit view.

When to suppress warnings

It's safe to suppress a warning from this rule if:

• The ASP.NET MVC controller action has no harmful side effects.
• The application validates the antiforgery token in a different way.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

C#‎

#pragma warning disable CA3147
// The code that's violating the rule is on this line.
#pragma warning restore CA3147

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

ini

[*.{cs,vb}]
dotnet_diagnostic.CA3147.severity = none

For more information, see How to suppress code analysis warnings.

ValidateAntiForgeryToken attribute example

Violation:

C#‎

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        public ActionResult TransferMoney(string toAccount, string amount)
        {
            // You don't want an attacker to specify to who and how much money to transfer.

            return null;
        }
    }
}

Solution:

C#‎

using System;
using System.Xml;

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        [HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult TransferMoney(string toAccount, string amount)
        {
            return null;
        }
    }
}

HttpGet attribute example

Violation:

C#‎

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        public ActionResult Help(int topicId)
        {
            // This Help method is an example of a read-only operation with no harmful side effects.
            return null;
        }
    }
}

Solution:

C#‎

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        [HttpGet]
        public ActionResult Help(int topicId)
        {
            return null;
        }
    }
}