Does `[HttpPost]` Alone Suffice to Secure Against JSON Hijacking in ASP.NET MVC?

Is it possible to limit HTTP GET requests using only the [HttpPost] attribute?

Why do I need a JsonRequestBehavior when using the [HttpPost] attribute to limit HTTP GET requests in an action method?

JsonRequestBehavior is crucial because by default, MVC implements a "deny GET" policy. This is a security measure to prevent JSON hijacking, where a malicious attacker could intercept JSON data sent via an HTTP GET request.

In the provided code example, using [HttpPost] effectively blocks the HTTP GET request. However, if a method returns sensitive data, it may still be vulnerable to JSON hijacking attacks. To explicitly allow HTTP GET requests while reducing security risks, JsonRequestBehavior.AllowGet must be called.

More insights:

MVC's "Deny GET" policy is intended to encourage developers to carefully consider the implications of exposing sensitive data via JSON via HTTP GET requests. It is considered safe to allow GET requests using JsonRequestBehavior.AllowGet if the data returned is not sensitive.

Also, with recent browser updates, JSON hijacking has become a less significant security issue. However, to mitigate any potential threats, it is still recommended to avoid returning sensitive data via JSON in HTTP GET requests.

The above is the detailed content of Does `[HttpPost]` Alone Suffice to Secure Against JSON Hijacking in ASP.NET MVC?. For more information, please follow other related articles on the PHP Chinese website!