Avoid hardcoding SecurityProtocolType value
Avoid hardcoding SecurityProtocolType value
Microsoft docsDescription
Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Protocol versions TLS 1.0 and TLS 1.1 are deprecated, while TLS 1.2 and TLS 1.3 are current. In the future, TLS 1.2 and TLS 1.3 may be deprecated. To ensure that your application remains secure, avoid hardcoding a protocol version and target at least .NET Framework v4.7.1. For more information, see Transport Layer Security (TLS) best practices with .NET Framework.
Cause
This rule fires when either of the following conditions are met:
- A safe but hardcoded System.Net.SecurityProtocolType value was referenced.
- An integer value representing a safe protocol version was assigned to a System.Net.SecurityProtocolType variable.
Safe values are:
- Tls12
- Tls13
How to fix violations
Don't hardcode TLS protocol versions.
Example
using System;
using System.Net;
public class ExampleClass
{
public void ExampleMethod()
{
// CA5386 violation
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
}
}
using System;
using System.Net;
public class ExampleClass
{
public void ExampleMethod()
{
// CA5386 violation
ServicePointManager.SecurityProtocol = (SecurityProtocolType) 3072; // TLS 1.2
}
}
using System;
using System.Net;
public class TestClass
{
public void TestMethod()
{
// Let the operating system decide what TLS protocol version to use.
// See https://learn.microsoft.com/dotnet/framework/network-programming/tls
}
}When to suppress
You can suppress this warning if your application targets .NET Framework v4.6.2 or earlier and may run on a computer that has insecure defaults.