Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Tags

Impact

Clean code attribute

JWT secret keys should not be disclosed
Vulnerability
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
NoSQL operations should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
Database queries should not be vulnerable to injection attacks
Vulnerability
XML parsers should not be vulnerable to XXE attacks
Vulnerability
A secure password should be used when connecting to a database
Vulnerability
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
OS commands should not be vulnerable to command injection attacks
Vulnerability
Classes should implement their "ExportAttribute" interfaces
Bug
"Thread.Resume" and "Thread.Suspend" should not be used
Bug
"SafeHandle.DangerousGetHandle" should not be called
Bug
Type inheritance should not be recursive
Bug
"IDisposables" should be disposed
Bug
SQL keywords should be delimited by whitespace
Bug
Composite format strings should not lead to unexpected behavior at runtime
Bug
Loops and recursions should not be infinite
Bug
Finalizers should not throw exceptions
Bug
Hard-coded secrets are security-sensitive
Security Hotspot
Hard-coded credentials are security-sensitive
Security Hotspot
Interfaces for durable entities should satisfy the restrictions
Code Smell
Calls to "async" methods should not be blocking in Azure Functions
Code Smell
Exceptions should not be thrown from unexpected methods
Code Smell
"operator==" should not be overloaded on reference types
Code Smell
Type should not be examined on "System.Type" instances
Code Smell
Test method signatures should be correct
Code Smell
Method overloads with default parameter values should not overlap
Code Smell
"value" contextual keyword should be used
Code Smell
"is" should not be used with "this"
Code Smell
Assertions should be complete
Code Smell
Methods named "Dispose" should implement "IDisposable.Dispose"
Code Smell
Tests should include assertions
Code Smell
Unnecessary bit operations should not be performed
Code Smell
Public methods should not have multidimensional array parameters
Code Smell
"async" and "await" should not be used as identifiers
Code Smell
Test classes should contain at least one test case
Code Smell
Short-circuit logic should be used in boolean contexts
Code Smell
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
LDAP connections should be authenticated
Vulnerability
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Secure random number generators should not output predictable values
Vulnerability
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
Password hashing functions should use an unpredictable salt
Vulnerability
Log message template should be syntactically correct
Bug
Regular expressions should be syntactically valid
Bug
Non-async "Task/Task<T>" methods should not return null
Bug
Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"
Bug
"Shared" parts should not be created with "new"
Bug
Getters and setters should access the expected fields
Bug
Right operands of shift operators should be integers
Bug
Shared resources should not be used for locking
Bug
Locks should be released on all paths
Bug
Using publicly writable directories is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Parameter names should match base declaration and other partial definitions
Code Smell
ModelState.IsValid should be called in controller actions
Code Smell
"ValueTask" should be consumed correctly
Code Smell
Start index should be used instead of calling Substring
Code Smell
"default" clauses should be first or last
Code Smell
Unread "private" fields should be removed
Code Smell
Base class methods should not be hidden
Code Smell
Inherited member visibility should not be decreased
Code Smell
Threads should not lock on objects with weak identity
Code Smell
A conditionally executed single line should be denoted by indentation
Code Smell
Conditionals should start on new lines
Code Smell
Assemblies should have version information
Code Smell
Exception types should be "public"
Code Smell
Cognitive Complexity of methods should not be too high
Code Smell
"params" should not be introduced on overrides
Code Smell
"[DefaultValue]" should not be used when "[DefaultParameterValue]" is meant
Code Smell
"[Optional]" should not be used on "ref" or "out" parameters
Code Smell
Non-flags enums should not be used in bitwise operations
Code Smell
Inner class members should not shadow outer class "static" or type members
Code Smell
"Explicit" conversions of "foreach" loops should not be used
Code Smell
Literal boolean values should not be used in assertions
Code Smell
Instance members should not write to "static" fields
Code Smell
"IndexOf" checks should not be for positive numbers
Code Smell
Whitespace and control characters in string literals should be explicit
Code Smell
Properties should not make collection or array copies
Code Smell
Flags enumerations zero-value members should be named "None"
Code Smell
Overflow checking should not be disabled for "Enumerable.Sum"
Code Smell
Field-like events should not be virtual
Code Smell
Non-constant static fields should not be visible
Code Smell
Unnecessary mathematical comparisons should not be made
Code Smell
"for" loop increment clauses should modify the loops' counters
Code Smell
Invalid casts should be avoided
Code Smell
Constructors should only call non-overridable methods
Code Smell
"GC.Collect" should not be called
Code Smell
Methods should not be empty
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
Method overrides should not change parameter defaults
Code Smell
Server-side requests should not be vulnerable to traversing attacks
Vulnerability
Content Security Policies should be restrictive
Vulnerability
Stack traces should not be disclosed
Vulnerability
Loop boundaries should not be vulnerable to injection attacks
Vulnerability
Connection strings should not be vulnerable to injections attacks
Vulnerability
Memory allocations should not be vulnerable to Denial of Service attacks
Vulnerability
Accessing files should not lead to filesystem oracle attacks
Vulnerability
Environment variables should not be defined from untrusted input
Vulnerability
XML operations should not be vulnerable to injection attacks
Vulnerability
XML signatures should be validated securely
Vulnerability
Applications should not create session cookies from untrusted input
Vulnerability
Reflection should not be vulnerable to injection attacks
Vulnerability
Types allowed to be deserialized should be restricted
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Members should not have conflicting transparency annotations
Vulnerability
Locks should be released within the same method
Bug
A write lock should not be released when a read lock has been acquired and vice versa
Bug
Backslash should be avoided in route templates
Bug
Component parameter type should match the route parameter type constraint
Bug
[JSInvokable] attribute should only be used on public methods
Bug
Blazor query parameter type should be supported
Bug
Message template placeholders should be unique
Bug
"PartCreationPolicyAttribute" should be used with "ExportAttribute"
Bug
"ConstructorArgument" parameters should exist in constructors
Bug
Windows Forms entry points should be marked with STAThread
Bug
Collection elements should not be replaced unconditionally
Bug
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
Calculations should not overflow
Bug
Serialization event handlers should be implemented correctly
Bug
Deserialization methods should be provided for "OptionalField" members
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Types should be defined in named namespaces
Bug
Empty nullable value should not be accessed
Bug
Nullable type comparison should not be redundant
Bug
Methods with "Pure" attribute should return a value
Bug
One-way "OperationContract" methods should have "void" return type
Bug
Optional parameters should be passed to "base" calls
Bug
Classes should not have only "private" constructors
Bug
Expressions used in "Debug.Assert" should not produce side effects
Bug
Caller information parameters should come at the end of the parameter list
Bug
Static fields should appear in the order they must be initialized
Bug
Classes directly extending "object" should not call "base" in "GetHashCode" or "Equals"
Bug
Anonymous delegates should not be used to unsubscribe from Events
Bug
Delegates should not be subtracted
Bug
"async" methods should not return "void"
Bug
"ThreadStatic" should not be used on non-static fields
Bug
"IDisposables" created in a "using" statement should not be returned
Bug
"ThreadStatic" fields should not be initialized
Bug
"Object.ReferenceEquals" should not be used for value types
Bug
Doubled prefix operators "!!" and "~~" should not be used
Bug
Non-existent operators like "=+" should not be used
Bug
"NaN" should not be used in comparisons
Bug
Conditionally executed code should be reachable
Bug
Blocks should be synchronized on read-only fields
Bug
Null pointers should not be dereferenced
Bug
For-loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
"ToString()" method should not return null
Bug
Methods without side effects should not have their return values ignored
Bug
Values should not be uselessly incremented
Bug
Collections should not be passed as arguments to their own methods
Bug
Related "if/else if" statements should not have the same condition
Bug
Objects should not be created to be dropped immediately without being used
Bug
Identical expressions should not be used on both sides of operators
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
Floating point numbers should not be tested for equality
Bug
Using unsafe code blocks is security-sensitive
Security Hotspot
Not specifying a timeout for regular expressions is security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Deserializing objects without performing data validation is security-sensitive
Security Hotspot
Disabling ASP.NET "Request Validation" feature is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Setting loose file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"goto" statement should not be used
Code Smell
First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty
Code Smell
Actions that return a value should be annotated with ProducesResponseTypeAttribute containing the return type
Code Smell
Awaitable method should be used
Code Smell
REST API actions should be annotated with an HTTP verb attribute
Code Smell
Value type property used as input in a controller action should be nullable, required or annotated with the JsonRequiredAttribute to avoid under-posting.
Code Smell
You should pool HTTP connections with HttpClientFactory
Code Smell
API Controllers should derive from ControllerBase instead of Controller
Code Smell
Controllers should not have mixed responsibilities
Code Smell
A Route attribute should be added to the controller when a route template is specified at the action level
Code Smell
Use model binding instead of reading raw request data
Code Smell
ASP.NET controller actions should not have a route template starting with "/"
Code Smell
Log message template placeholders should be in the right order
Code Smell
Use a format provider when parsing date and time
Code Smell
Use "TimeZoneInfo.FindSystemTimeZoneById" without converting the timezones with "TimezoneConverter"
Code Smell
Always set the "DateTimeKind" when creating new "DateTime" instances
Code Smell
Avoid using "DateTime.Now" for benchmarking or timing operations
Code Smell
Client instances should not be recreated on each Azure Function invocation
Code Smell
Azure Functions should be stateless
Code Smell
"new Guid()" should not be used
Code Smell
"DebuggerDisplayAttribute" strings should reference existing members
Code Smell
Parameter validation in yielding methods should be wrapped
Code Smell
Events should have proper arguments
Code Smell
Native methods should be wrapped
Code Smell
Methods should not have identical implementations
Code Smell
Non-flags enums should not be marked with "FlagsAttribute"
Code Smell
Operators should be overloaded consistently
Code Smell
Classes implementing "IEquatable<T>" should be sealed
Code Smell
Custom attributes should be marked with "System.AttributeUsageAttribute"
Code Smell
"GC.SuppressFinalize" should not be called
Code Smell
Objects should not be disposed more than once
Code Smell
Parameter names used into ArgumentException constructors should match an existing one
Code Smell
"ISerializable" should be implemented correctly
Code Smell
"Assembly.Load" should be used
Code Smell
"IDisposable" should be implemented correctly
Code Smell
"ServiceContract" and "OperationContract" attributes should be used together
Code Smell
Composite format strings should be used correctly
Code Smell
Exceptions should not be explicitly rethrown
Code Smell
"abstract" classes should not have "public" constructors
Code Smell
"[ExpectedException]" should not be used
Code Smell
Assertion arguments should be passed in the correct order
Code Smell
Ternary operators should not be nested
Code Smell
Events should be invoked
Code Smell
"params" should be used on overrides
Code Smell
Generic type parameters should be co/contravariant when possible
Code Smell
Multiple "OrderBy" calls should not be used
Code Smell
"StringBuilder" data should be used
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
Static fields should not be updated in constructors
Code Smell
LINQ expressions should be simplified
Code Smell
Fields that are only assigned in the constructor should be "readonly"
Code Smell
"Thread.Sleep" should not be used in tests
Code Smell
Static fields should not be used in generic types
Code Smell
Multiline blocks should be enclosed in curly braces
Code Smell
Logging templates should be constant
Code Smell
Boolean expressions should not be gratuitous
Code Smell
Types and methods should not have too many generic parameters
Code Smell
Write-only properties should not be used
Code Smell
Exceptions should not be thrown from property getters
Code Smell
Unused type parameters should be removed
Code Smell
Arguments should be passed in the same order as the method parameters
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
Exceptions should be either logged or rethrown but not both
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Unused assignments should be removed
Code Smell
NullReferenceException should not be caught
Code Smell
Tests should not be ignored
Code Smell
"switch" statements with many "case" clauses should have only one statement
Code Smell
"for" loop stop conditions should be invariant
Code Smell
Sections of code should not be commented out
Code Smell
Unused method parameters should be removed
Code Smell
Empty arrays and collections should be returned instead of null
Code Smell
Unused private types or members should be removed
Code Smell
Track uses of "FIXME" tags
Code Smell
"Obsolete" attributes should include explanations
Code Smell
Assignments should not be made from within sub-expressions
Code Smell
General or reserved exceptions should never be thrown
Code Smell
Utility classes should not have public constructors
Code Smell
Local variables should not shadow class fields or properties
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Inheritance tree of classes should not be too deep
Code Smell
Nested blocks of code should not be left empty
Code Smell
Methods should not have too many parameters
Code Smell
Mergeable "if" statements should be combined
Code Smell
OS commands should not be vulnerable to argument injection attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Empty collections should not be accessed or iterated
Bug
Mutable, non-private fields should not be "readonly"
Bug
"string.ToCharArray()" and "ReadOnlySpan<T>.ToArray()" should not be called redundantly
Bug
"base.Equals" should not be used to check for reference equality in "Equals" if "base" is not "object"
Bug
Date and time should not be used as a type for primary keys
Bug
Generic parameters not constrained to reference types should not be compared to "null"
Bug
Property assignments should not be made for "readonly" fields not constrained to reference types
Bug
The length returned from a stream read should be checked
Bug
Flags enumerations should explicitly initialize all their members
Bug
"GetHashCode" should not reference mutable fields
Bug
Results of integer division should not be assigned to floating point variables
Bug
Integral numbers should not be shifted by zero or more than their number of bits-1
Bug
"Equals(Object)" and "GetHashCode()" should be overridden in pairs
Bug
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Literal suffixes should be upper case
Code Smell
Use PascalCase for named placeholders
Code Smell
"Trace.WriteLineIf" should not be used with "TraceSwitch" levels
Code Smell
Generic logger injection should match enclosing type
Code Smell
"Trace.Write" and "Trace.WriteLine" should not be used
Code Smell
Logger field or property name should comply with a naming convention
Code Smell
Logging arguments should be passed to the correct parameter
Code Smell
Logging in a catch clause should pass the caught exception as a parameter.
Code Smell
The code block contains too many logging calls
Code Smell
"string.Create" should be used instead of "FormattableString"
Code Smell
"Contains" should be used instead of "Any" for simple equality checks
Code Smell
"First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
Code Smell
The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
Code Smell
"StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
Code Smell
"Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
Code Smell
Prefer indexing instead of "Enumerable" methods on types implementing "IList"
Code Smell
The collection should be filtered before sorting by using "Where" before "OrderBy"
Code Smell
Use the "UnixEpoch" field instead of creating "DateTime" instances that point to the beginning of the Unix epoch
Code Smell
Comments should not be empty
Code Smell
Null checks should not be combined with "is" operator checks
Code Smell
Method overloads should be grouped together
Code Smell
"params" should be used instead of "varargs"
Code Smell
Types should not extend outdated base types
Code Smell
"static" fields should be initialized inline
Code Smell
Classes that provide "Equals(<T>)" should implement "IEquatable<T>"
Code Smell
Arrays should not be created for params parameters
Code Smell
Jump statements should not be redundant
Code Smell
Member initializer values should not be redundant
Code Smell
Unassigned members should be removed
Code Smell
Empty "case" clauses that fall through to the "default" should be omitted
Code Smell
Parameters with "[DefaultParameterValue]" attributes should also be marked "[Optional]"
Code Smell
Interfaces should not simply inherit from base interfaces with colliding members
Code Smell
Variables should not be checked against the values they're about to be assigned
Code Smell
Methods should not return constants
Code Smell
"private" methods called only by inner classes should be moved to those classes
Code Smell
Attribute, EventArgs, and Exception type names should end with the type being extended
Code Smell
Loops should be simplified with "LINQ" expressions
Code Smell
Namespaces should not be empty
Code Smell
Non-derived "private" classes and records should be "sealed"
Code Smell
"string.IsNullOrEmpty" should be used
Code Smell
Implementations should be provided for "partial" methods
Code Smell
Duplicate casts should not be made
Code Smell
Methods should not return values that are never used
Code Smell
Caller information arguments should not be provided explicitly
Code Smell
Method calls should not resolve ambiguously to overloads with "params"
Code Smell
"catch" clauses should do more than rethrow
Code Smell
Generic exceptions should not be ignored
Code Smell
Mutable fields should not be "public static"
Code Smell
Enumeration type names should not have "Flags" or "Enum" suffixes
Code Smell
Enumeration types should comply with a naming convention
Code Smell
Methods and properties that don't access instance data should be static
Code Smell
Trivial properties should be auto-implemented
Code Smell
Runtime type checking should be simplified
Code Smell
Classes should not be empty
Code Smell
Boolean checks should not be inverted
Code Smell
Inheritance list should not be redundant
Code Smell
Redundant casts should not be used
Code Smell
An abstract class should have both abstract and concrete methods
Code Smell
Strings should not be concatenated using '+' in a loop
Code Smell
Unused local variables should be removed
Code Smell
Private fields only used as local variables in methods should become local variables
Code Smell
A "while" loop should be used instead of a "for" loop
Code Smell
"Equals" and the comparison operators should be overridden when implementing "IComparable"
Code Smell
Nested code blocks should not be used
Code Smell
String literals should not be duplicated
Code Smell
Overriding members should do more than simply call the same member in the base class
Code Smell
"Any()" should be used to test for emptiness
Code Smell
Boolean literals should not be redundant
Code Smell
Empty statements should be removed
Code Smell
Fields should not have public accessibility
Code Smell
URIs should not be hardcoded
Code Smell
Types should be named in PascalCase
Code Smell
Track uses of "TODO" tags
Code Smell
Deprecated code should be removed
Code Smell
"CoSetProxyBlanket" and "CoInitializeSecurity" should not be used
Vulnerability
Classes with "IDisposable" members should implement "IDisposable"
Bug
Calls to "async" methods should not be blocking
Code Smell
Child class fields should not shadow parent class fields
Code Smell
Track lack of copyright and license headers
Code Smell
Exit methods should not be called
Code Smell
Classes should "Dispose" of members from the classes' own "Dispose" methods
Bug
Configuring loggers is security-sensitive
Security Hotspot
Interface methods should be callable by derived types
Code Smell
Child class fields should not differ from parent class fields only by capitalization
Code Smell
Pointers to unmanaged memory should not be visible
Code Smell
Number patterns should be regular
Code Smell
"out" and "ref" parameters should not be used
Code Smell
Unchanged variables should be marked as "const"
Code Smell
"ConfigureAwait(false)" should be used
Code Smell
"interface" instances should not be cast to concrete types
Code Smell
Optional parameters should not be used
Code Smell
Public constant members should not be used
Code Smell
Array covariance should not be used
Code Smell
"nameof" should be used
Code Smell
Modulus results should not be checked for direct equality
Code Smell
"switch" statements should not be nested
Code Smell
Methods and properties should not be too complex
Code Smell
Control flow statements "if", "switch", "for", "foreach", "while", "do" and "try" should not be nested too deeply
Code Smell
"switch/Select" statements should contain a "default/Case Else" clauses
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Control structures should use curly braces
Code Smell
Expressions should not be too complex
Code Smell
Serialization constructors should be secured
Vulnerability
Blocks should not be synchronized on local variables
Bug
Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
Code Smell
Parameters with SupplyParameterFromQuery attribute should be used only in routable components
Code Smell
Using lambda expressions in loops should be avoided in Blazor markup section
Code Smell
Use "DateTimeOffset" instead of "DateTime"
Code Smell
Use UTC when recording DateTime instants
Code Smell
Azure Functions should log all failures
Code Smell
Azure Functions should use Structured Error Handling
Code Smell
Use a testable date/time provider
Code Smell
Parameter validation in "async"/"await" methods should be wrapped
Code Smell
"P/Invoke" methods should not be visible
Code Smell
Property names should not match get methods
Code Smell
Locales should be set for data types
Code Smell
Literals should not be passed as localized parameters
Code Smell
Method signatures should not contain nested generic types
Code Smell
Enumeration members should not be named "Reserved"
Code Smell
"System.Uri" arguments should be used instead of strings
Code Smell
Collection properties should be readonly
Code Smell
Disposable types should declare finalizers
Code Smell
String URI overloads should call "System.Uri" overloads
Code Smell
URI properties should not be strings
Code Smell
URI return values should not be strings
Code Smell
URI Parameters should not be strings
Code Smell
Assemblies should explicitly specify COM visibility
Code Smell
Assemblies should be marked as CLS compliant
Code Smell
"Generic.List" instances should not be part of public APIs
Code Smell
Collections should implement the generic interface
Code Smell
Generic event handlers should be used
Code Smell
Event Handlers should have the correct signature
Code Smell
"Assembly.GetExecutingAssembly" should not be called
Code Smell
Arguments of public methods should be validated against null
Code Smell
Value types should implement "IEquatable<T>"
Code Smell
Finalizers should not be empty
Code Smell
"this" should not be exposed from constructors
Code Smell
Types should not have members with visibility set higher than the type's visibility
Code Smell
Fields should be private
Code Smell
"try" statements with identical "catch" and/or "finally" blocks should be merged
Code Smell
Functions should not have too many lines of code
Code Smell
Statements should be on separate lines
Code Smell
Classes should not be coupled to too many other classes
Code Smell
"switch case" clauses should not have too many lines of code
Code Smell
Magic numbers should not be used
Code Smell
Standard outputs should not be used directly to log anything
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
Collection-specific "Exists" method should be used instead of the "Any" extension
Code Smell
The collection-specific "TrueForAll" method should be used instead of the "All" extension
Code Smell
"Find" method should be used instead of the "FirstOrDefault" extension
Code Smell
Don't hardcode the format when turning dates and times to strings
Code Smell
"ExcludeFromCodeCoverage" attributes should include a justification
Code Smell
Methods should be named according to their synchronicities
Code Smell
Extensions should be in separate namespaces
Code Smell
Extension methods should not extend "object"
Code Smell
Operator overloads should have named alternatives
Code Smell
Non-abstract attributes should be sealed
Code Smell
Overloads with a "StringComparison" parameter should be used
Code Smell
Overloads with a "CultureInfo" or an "IFormatProvider" parameter should be used
Code Smell
Properties should be preferred
Code Smell
Generics should be used when appropriate
Code Smell
Type names should not match namespaces
Code Smell
Strings should be normalized to uppercase
Code Smell
Exceptions should provide standard constructors
Code Smell
Assemblies should be marked with "NeutralResourcesLanguageAttribute"
Code Smell
Interfaces should not be empty
Code Smell
Enumerations should have "Int32" storage
Code Smell
All type parameters should be used in the parameter list to enable type inference
Code Smell
Multidimensional arrays should not be used
Code Smell
"static readonly" constants should be "const" instead
Code Smell
Strings or integral types should be used for indexers
Code Smell
Parameter names should not duplicate the names of their methods
Code Smell
Track use of "NotImplementedException"
Code Smell
Empty "default" clauses should be removed
Code Smell
Redundant property names should be omitted in anonymous classes
Code Smell
Loggers should be named for their enclosing types
Code Smell
Declarations and initializations should be as concise as possible
Code Smell
Default parameter values should not be passed as arguments
Code Smell
Constructor and destructor declarations should not be redundant
Code Smell
Method parameters should be declared with base types
Code Smell
The simplest possible condition syntax should be used
Code Smell
Redundant parentheses should not be used
Code Smell
"GC.SuppressFinalize" should not be invoked for types without destructors
Code Smell
Members should not be initialized to default values
Code Smell
Sequential tests should not check the same condition
Code Smell
Redundant modifiers should not be used
Code Smell
"Exception" should not be caught
Code Smell
"sealed" classes should not have "protected" members
Code Smell
Underscores should be used to make large numbers readable
Code Smell
"ToString()" calls should not be redundant
Code Smell
"==" should not be used when "Equals" is overridden
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Culture should be specified for "string" operations
Code Smell
Logger fields should be "private static readonly"
Code Smell
"switch" statements should have at least 3 "case" clauses
Code Smell
break statements should not be used except for switch cases
Code Smell
Files should end with a newline
Code Smell
Unnecessary "using" should be removed
Code Smell
A close curly brace should be located at the beginning of a line
Code Smell
Tabulation characters should not be used
Code Smell
Methods and properties should be named in PascalCase
Code Smell
Track uses of in-source issue suppressions
Code Smell

Creating cookies without the "HttpOnly" flag is security-sensitive

intentionality - complete

security

Security Hotspot

MinorSonarSource default severity
click to learn more

cwe
privacy

When a cookie is configured with the HttpOnly attribute set to true, the browser guaranties that no client-side script will be able to read it. In most cases, when a cookie is created, the default value of HttpOnly is false and it’s up to the developer to decide whether or not the content of the cookie can be read by the client-side script. As a majority of Cross-Site Scripting (XSS) attacks target the theft of session-cookies, the HttpOnly attribute can help to reduce their impact as it won’t be possible to exploit the XSS vulnerability to steal session-cookies.

Ask Yourself Whether

the cookie is sensitive, used to authenticate the user, for instance a session-cookie
the HttpOnly attribute offer an additional protection (not the case for an XSRF-TOKEN cookie / CSRF token for example)

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

By default the HttpOnly flag should be set to true for most of the cookies and it’s mandatory for session / sensitive-security cookies.

Sensitive Code Example

When the HttpCookie.HttpOnly property is set to false then the cookie can be accessed by client side code:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = false; // Sensitive: this cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability

The default value of HttpOnly flag is false, unless overwritten by an application’s configuration file:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
// Sensitive: this cookie is created without the httponly flag  (by default set to false) and so it can be stolen easily in case of XSS vulnerability

Compliant Solution

Set the HttpCookie.HttpOnly property to true:

HttpCookie myCookie = new HttpCookie("Sensitive cookie");
myCookie.HttpOnly = true; // Compliant: the sensitive cookie is protected against theft thanks to the HttpOnly property set to true (HttpOnly = true)

Or change the default flag values for the whole application by editing the Web.config configuration file:

<httpCookies httpOnlyCookies="true" requireSSL="true" />

the requireSSL attribute corresponds programmatically to the Secure field.
the httpOnlyCookies attribute corresponds programmatically to the httpOnly field.

See

OWASP - Top 10 2021 Category A5 - Security Misconfiguration
OWASP HttpOnly
OWASP - Top 10 2017 Category A7 - Cross-Site Scripting (XSS)
CWE - CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Derived from FindSecBugs rule HTTPONLY_COOKIE
STIG Viewer - Application Security and Development: V-222575 - The application must set the HTTPOnly flag on session cookies.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted