Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Property | Value |
---|---|
Rule ID | CA5365 |
Title | Do Not Disable HTTP Header Checking |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Set EnableHeaderChecking to false
.
HTTP header checking enables encoding of the carriage return and newline characters, \r
and \n
, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained in the header.
Set EnableHeaderChecking to true
. Or, remove the assignment to false
because the default value is true
.
HTTP header continuations rely on headers spanning multiple lines and require new lines in them. If you need to use header continuations, you need to set the EnableHeaderChecking property to false
. There is a performance impact from checking the headers. If you are certain you are already doing the right checks, turning off this feature can improve the performance of your application. Before you disable this feature, be sure you are already taking the right precautions in this area.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5365
// The code that's violating the rule is on this line.
#pragma warning restore CA5365
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5365.severity = none
For more information, see How to suppress code analysis warnings.
using System;
using System.Web.Configuration;
class TestClass
{
public void TestMethod()
{
HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
httpRuntimeSection.EnableHeaderChecking = false;
}
}
using System;
using System.Web.Configuration;
class TestClass
{
public void TestMethod()
{
HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
httpRuntimeSection.EnableHeaderChecking = true;
}
}
.NET feedback
.NET is an open source project. Select a link to provide feedback: