Untitled

Controllers that execute actions or tasks may be accessed to perform activities without the user's knowledge or authorization. These attacks are difficult to distinguish from legitimate requests.

In System.Threading.Tasks.Task`1<Microsoft.AspNetCore.Mvc.IActionResult> GxPHardening.API.Controllers.NotificationController::SavePolicyDeviation(GxPHardening.ViewModel.Dtos.PolicyDeviationDto): The web application controller modifies data or state and is unprotected from cross-site request forgery.

Protection against CSRF attacks involves several steps.

Generate a cryptographically random token that is associated with a user's session. The "System.Web.Helpers.AntiForgery" class from .NET Framework and "Microsoft.AspNetCore.Antiforgery.IAntiforgery" interface from .NET Core are well-suited for this purpose.
Pass this token with any requests that should be protected from cross-site requests that originate from malicious code running in a user's browser.
Reject any requests that have a missing or invalid token, for example by calling "System.Web.Helpers.AntiForgery.Validate" in .NET Framework or "Microsoft.AspNetCore.Antiforgery.IAntiforgery.ValidateRequestAsync" in .NET Core.