Will It Vibe logoWill It Vibe?
CSHARP-013Low severity-4 points

POST action missing [ValidateAntiForgeryToken] next to siblings that have it

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

This [HttpPost] action has no [ValidateAntiForgeryToken] attribute even though another POST action in the same controller file does, suggesting it was left off rather than deliberately using a different CSRF defense. This is a low-confidence heuristic: some POST actions are legitimately token-based JSON APIs that use a different CSRF strategy, so verify before treating it as a bug.

Why it matters

When one [HttpPost] action in a controller carries [ValidateAntiForgeryToken] and a sibling action in the same file does not, the missing one is often an oversight rather than a deliberate choice, and it leaves that specific endpoint open to cross-site request forgery: a malicious page can trigger the state-changing request using the victim's existing session cookie. This check is a low-confidence heuristic, since some POST actions are legitimately pure JSON APIs that use a different CSRF defense (e.g. requiring a custom header), so confirm the gap is real before treating it as a bug.

How to fix it

If the action renders or is submitted from a standard HTML form, add [ValidateAntiForgeryToken] to match its siblings and ensure the view emits the antiforgery token (@Html.AntiForgeryToken() or the tag helper's automatic injection). If the action is a token-authenticated JSON API endpoint that intentionally does not use cookie-based auth, it may not need it, but that reasoning should be explicit rather than silent.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks