A legacy ASP.NET MVC application had a silent security bug caused by the framework's filter deduplication behavior. When the same attribute type (with AllowMultiple = false) was registered both as a global filter and as a controller-level attribute, ASP.NET MVC silently discarded the global filter, keeping only the
Table of contents
What we were trying to doWhat ASP.NET MVC actually doesWhy this became a security problemRoot cause summaryWhat we changedFinal thoughtsMore informationSort: