Not specifying the kind of HTTP request explicitly for action methods.
Rule descriptionAll the action methods that create, edit, delete, or otherwise modify data needs to be protected with the antiforgery attribute from cross-site request forgery attacks. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data.
How to fix violationsMark the action methods with HttpVerb attribute.
It's safe to suppress warnings from this rule if:
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5395
// The code that's violating the rule is on this line.
#pragma warning restore CA5395
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5395.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples Violationusing Microsoft.AspNetCore.Mvc;
[ValidateAntiForgeryToken]
class BlahController : Controller
{
}
class ExampleController : Controller
{
public IActionResult ExampleAction()
{
return null;
}
}
using Microsoft.AspNetCore.Mvc;
[ValidateAntiForgeryToken]
class BlahController : Controller
{
}
class ExampleController : Controller
{
[HttpGet]
public IActionResult ExampleAction()
{
return null;
}
}
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4