CA5395: Miss HttpVerb attribute for action methods
Property | Value |
---|---|
Rule ID | CA5395 |
Title | Miss HttpVerb attribute for action methods |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
Not specifying the kind of HTTP request explicitly for action methods.
Rule description
All the action methods that create, edit, delete, or otherwise modify data needs to be protected with the antiforgery attribute from cross-site request forgery attacks. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data.
How to fix violations
Mark the action methods with HttpVerb
attribute.
When to suppress warnings
It's safe to suppress warnings from this rule if:
- You're sure that no modifying operation is taking place in the action method. Or, it's not an action method at all.
- Solutions other than using antiforgery token attributes are adopted to mitigate CSRF vulnerabilities. For more information, see Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5395
// The code that's violating the rule is on this line.
#pragma warning restore CA5395
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5395.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
using Microsoft.AspNetCore.Mvc;
[ValidateAntiForgeryToken]
class BlahController : Controller
{
}
class ExampleController : Controller
{
public IActionResult ExampleAction()
{
return null;
}
}
Solution
using Microsoft.AspNetCore.Mvc;
[ValidateAntiForgeryToken]
class BlahController : Controller
{
}
class ExampleController : Controller
{
[HttpGet]
public IActionResult ExampleAction()
{
return null;
}
}