Why is JsonRequestBehavior needed?

Understanding JSON data restriction over HTTP GET requests

You probably run to this exception when you tried to fetch JSON data over HTTP GET request. Now, first this is easy to bypass by simply adding JsonRequestBehavior.AllowGet option to method which is retutning JSON data for GET request in a controller file.

return Json(data, JsonRequestBehavior.AllowGet);
    

This is easy to switch off the same way you switch off form data validation in ASP.NET WebForms, but are you doing the right thing by doing this?

Well the answer is probably yes and now both :). As much as it sounds it is a whole in you application security, these kind of stuff are required to be done in some places. Microsoft made .NET to assume people will make these kind of mistakes during development, so it made them restricted by default.

However it is safe to remove these blocking in certain cases.

Now back to the subject of this article, why am I getting exception when trying to fetch JSON data over HTTP GET request?

Note

Micrsoft ASP.NET MVC framework does not allow you to respond with JSON data over HTTP GET request

It assumes you might expose sensitive data over the GET request which can be used in so called JSON Hijacking.

This exception for example sill not happen with POST request as JSON payload is allowed by default for HTTP GET requests.

So as I mentioned, it is safe to switch this feature off only n case you are 100% sure you are not exposing any sensitive data over GET request.

Disclaimer

Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.


About the author

DEJAN STOJANOVIC

Dejan is a passionate Software Architect/Developer. He is highly experienced in .NET programming platform including ASP.NET MVC and WebApi. He likes working on new technologies and exciting challenging projects

CONNECT WITH DEJAN  Loginlinkedin Logintwitter Logingoogleplus Logingoogleplus

JavaScript

read more

SQL/T-SQL

read more

Umbraco CMS

read more

PowerShell

read more

Comments for this article