SEC0019 with global AutoValidateAntiforgeryTokenAttribute #37
Labels
Comments
felickz
changed the title
felickz
changed the title
|
Agreed, this will need to be part of the .NET Core rule package. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A newer pattern exists for auto validating CSRF tokens in .NET Core to protect all endpoints through global filter configuration. Is there any pattern for detecting this attribute is globally applied and disable SEC0019? Potentially here SEC0019 could apply to the use of the ignore attribute.
Filters.Add(new AutoValidateAntiforgeryTokenAttribute());AutoValidateAntiforgeryTokenAttribute can be applied as a global filter to trigger validation of antiforgery tokens by default for an application.
Also, we should call out the usage of IgnoreAntiforgeryTokenAttribute here.
Blog explaining the topic: https://andrewlock.net/automatically-validating-anti-forgery-tokens-in-asp-net-core-with-the-autovalidateantiforgerytokenattribute/
This would be dependent on .NET Core support #36
The text was updated successfully, but these errors were encountered: