CA5395Security Enabled by default: No

Miss HttpVerb attribute for action methods

Description

All the action methods that create, edit, delete, or otherwise modify data needs to be protected with the antiforgery attribute from cross-site request forgery attacks. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data.

Cause

Not specifying the kind of HTTP request explicitly for action methods.

How to fix violations

Mark the action methods with HttpVerb attribute.

Example

using Microsoft.AspNetCore.Mvc;

[ValidateAntiForgeryToken]
class BlahController : Controller
{
}

class ExampleController : Controller
{
    public IActionResult ExampleAction()
    {
        return null;
    }
}

using Microsoft.AspNetCore.Mvc;

[ValidateAntiForgeryToken]
class BlahController : Controller
{
}

class ExampleController : Controller
{
    [HttpGet]
    public IActionResult ExampleAction()
    {
        return null;
    }
}

When to suppress

It's safe to suppress warnings from this rule if:

You're sure that no modifying operation is taking place in the action method. Or, it's not an action method at all.
Solutions other than using antiforgery token attributes are adopted to mitigate CSRF vulnerabilities. For more information, see Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0