- Use a secure serializer instead, and don't allow an attacker to specify an arbitrary type to deserialize. For more information see the Preferred alternatives.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- This option makes code vulnerable to denial of service attacks and possible remote code execution attacks in the future. For more information, see the BinaryFormatter security guide. Restrict deserialized types. Implement a custom xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType. Before deserializing, set the
Binderproperty to an instance of your custom xref:System.Runtime.Serialization.SerializationBinder in all code paths. In the overridden xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A method, if the type is unexpected, throw an exception to stop deserialization.