CA5365: Do Not Disable HTTP Header Checking
| Property | Value |
|---|---|
| Rule ID | CA5365 |
| Title | Do Not Disable HTTP Header Checking |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
Set EnableHeaderChecking to false.
Rule description
HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained in the header.
How to fix violations
Set EnableHeaderChecking to true. Or, remove the assignment to false because the default value is true.
When to suppress warnings
HTTP header continuations rely on headers spanning multiple lines and require new lines in them. If you need to use header continuations, you need to set the EnableHeaderChecking property to false. There is a performance impact from checking the headers. If you are certain you are already doing the right checks, turning off this feature can improve the performance of your application. Before you disable this feature, be sure you are already taking the right precautions in this area.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5365
// The code that's violating the rule is on this line.
#pragma warning restore CA5365
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5365.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
using System;
using System.Web.Configuration;
class TestClass
{
public void TestMethod()
{
HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
httpRuntimeSection.EnableHeaderChecking = false;
}
}
Solution
using System;
using System.Web.Configuration;
class TestClass
{
public void TestMethod()
{
HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
httpRuntimeSection.EnableHeaderChecking = true;
}
}
