Reputation: 2307
Why there is need to use JsonRequestBehavior if we already have [HttpPost]?
In ASP.NET MVC we are having option to secure our Controller's action by using HTTPGET/HTTPPost.
And for Json request there is one more option given JsonRequestBehavior for security.
Where JsonRequestBehavior having two options:
public enum JsonRequestBehavior
{
AllowGet = 0,
DenyGet = 1,
}
My question is just for the clearance on why there is JsonRequestBehavior.DenyGet if we can use HttpPost?
Upvotes: 0
Views: 2427
Answers (1)
Reputation: 2379
DenyGet is the default setting set by MVC to protect you against a specific JSON request attack that returns data using HTTP GET.
You need to manually decide to add AllowGet, which forces you to consider the data you are exposing over the HTTP GET method.
For a detailed explanation you can read this (slightly dated) post: http://haacked.com/archive/2009/06/25/json-hijacking.aspx/
Upvotes: 3
Related Questions
- Why is JsonRequestBehavior needed?
- HttpPost or HttpGet for JsonResult?
- Why some C# api method need [HttpPost] while some don't need it?
- What is the PURPOSE of deserializing json in C# MVC
- Posting and receiving json with MVC Web API
- Why Using JSON in MVC application?
- HttpPost in asp.net MVC 4
- Is it possible to use [HttpPost] attribute on JsonResult
- Why have a separate call to get Json?
- Differences using JSON with MVC & MVC2?