C#-CWE-352

Public controller methods that change state (POST/PUT/DELETE) must enforce CSRF validation

Required inputs: CSharpAST

This rule detects missing CSRF validation in ASP.NET Core applications. It checks controller actions that change state (POST, PUT, DELETE) for: 1. Presence of `[ValidateAntiForgeryToken]` attribute on the action or controller class. 2. Minimal API calls using `IAntiforgery.ValidateRequestAsync()`. Example of a safe controller action in C#:

[ValidateAntiForgeryToken]
[HttpPost]
public IActionResult SubmitForm(MyModel model)
{
    // protected code
    return Ok();
}

Possible Messages

Key	Text	Severity	Disabled
csrf_missing_validation	State-changing controller method is missing CSRF validation. Add [ValidateAntiForgeryToken].	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.