If I want to display a PDF file in the browser instead of downloading a copy, I can tell the browser via an additional Content-Disposition response header.
This code example assumes that the file content is available as byte-array, reading the content from a database, for example.
// Get action method that tries to show a PDF file in the browser (inline)
public ActionResult ShowPdfInBrowser()
byte pdfContent = CodeThatRetrievesMyFilesContent();
if (pdfContent == null)
var contentDispositionHeader = new System.Net.Mime.ContentDisposition
Inline = true,
FileName = "someFilename.pdf"
return File(pdfContent, System.Net.Mime.MediaTypeNames.Application.Pdf);
Please keep in mind that ultimately we don’t have control over the browser. We can politely request to show the PDF inline, but this can be overridden by a user configuration, for example.
Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.
Resultingissue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.
Which issue would you rather have to deal with?
I personally prefer the whitelisting approach and err on the side of caution.