Add CA2262 (#39351)

docs/fundamentals/code-analysis/quality-rules/ca2262.md

@@ -0,0 +1,61 @@
+---
+title: "CA2262: Set 'MaxResponseHeadersLength' properly"
+description: "Learn about code analysis rule CA2262 - Set 'MaxResponseHeadersLength' properly"
+ms.date: 01/30/2024
+f1_keywords:
+  - CA2262
+helpviewer_keywords:
+  - CA2262
+dev_langs:
+  - CSharp
+  - VB
+---
+# CA2262: Set 'MaxResponseHeadersLength' properly
+
+| Property                            | Value                                       |
+|-------------------------------------|---------------------------------------------|
+| **Rule ID**                         | CA2262                                      |
+| **Title**                           | Set `MaxResponseHeadersLength` properly     |
+| **Category**                        | [Usage](usage-warnings.md)                  |
+| **Fix is breaking or non-breaking** | Non-breaking                                |
+| **Enabled by default in .NET 9**    | As suggestion                               |
+
+## Cause
+
+The <xref:System.Net.Http.HttpClientHandler.MaxResponseHeadersLength?displayProperty=nameWithType> property is set to a value greater than 128.
+
+## Rule description
+
+The <xref:System.Net.Http.HttpClientHandler.MaxResponseHeadersLength?displayProperty=nameWithType> property is measured in kilobytes, not bytes. The default maximum length is 64 KB, which should be large enough for a majority of use cases. If you set the property to a value greater than 128 kilobytes, it might be due to a misunderstanding of the units of this property.
+
+## How to fix violations
+
+If you intended to set a smaller value, update it the desired value measured in kilobytes.
+
+## Example
+
+```csharp
+HttpClientHandler handler = new()
+{
+    // Violation
+    MaxResponseHeadersLength = 512
+
+    // Fix
+    MaxResponseHeadersLength = 0.512
+};
+```
+
+```vb
+
+Dim handler As New HttpClientHandler With {
+    ' Violation
+    .MaxResponseHeadersLength = 512
+
+    ' Fix
+    .MaxResponseHeadersLength = 0.512
+}
+```
+
+## When to suppress errors
+
+It's safe to suppress this warning if the large value is intended.

docs/fundamentals/code-analysis/quality-rules/index.md

@@ -1,9 +1,7 @@
 ---
 title: Code quality rules overview
 description: Learn about all of the available code quality rules for code analysis.
-ms.date: 11/16/2023
-author: mikadumont
-ms.author: midumont
+ms.date: 01/31/2024
 ---
 # Code quality rules
 
@@ -234,6 +232,7 @@ The following table lists code quality analysis rules.
 > | [CA2259: Ensure `ThreadStatic` is only used with static fields](ca2259.md) | <xref:System.ThreadStaticAttribute> only affects `static` (`Shared` in Visual Basic) fields. When applied to instance fields, the attribute has no impact on behavior. |
 > | [CA2260: Implement generic math interfaces correctly](ca2260.md) | Generic math interfaces require the derived type itself to be used for the self-recurring type parameter. |
 > | [CA2261: Do not use `ConfigureAwaitOptions.SuppressThrowing` with `Task<TResult>`](ca2261.md) | The `ConfigureAwaitOptions.SuppressThrowing` option isn't supported by the generic `Task<TResult>`, since that might lead to returning an invalid `TResult`. |
+> | [CA2262: Set `MaxResponseHeadersLength` properly](ca2262.md) | Make sure the `MaxResponseHeadersLength` value is provided correctly. This value is measured in kilobytes. |
 > | [CA2300: Do not use insecure deserializer BinaryFormatter](ca2300.md) | Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. |
 > | [CA2301: Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder](ca2301.md) | Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. |
 > | [CA2302: Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize](ca2302.md) | Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. |

docs/fundamentals/code-analysis/quality-rules/usage-warnings.md

@@ -1,15 +1,13 @@
 ---
 title: Usage rules (code analysis)
 description: "Learn about code analysis usage rules."
-ms.date: 11/16/2023
+ms.date: 01/31/2024
 f1_keywords:
 - vs.codeanalysis.usagerules
 helpviewer_keywords:
 - rules, usage
 - managed code analysis rules, usage rules
 - usage rules
-author: gewarren
-ms.author: gewarren
 ---
 # Usage rules
 
@@ -63,3 +61,4 @@ Usage rules support proper usage of .NET.
 | [CA2259: Ensure `ThreadStatic` is only used with static fields](ca2259.md) | <xref:System.ThreadStaticAttribute> only affects `static` (`Shared` in Visual Basic) fields. When applied to instance fields, the attribute has no impact on behavior. |
 | [CA2260: Implement generic math interfaces correctly](ca2260.md) | Generic math interfaces require the derived type itself to be used for the self-recurring type parameter. |
 | [CA2261: Do not use `ConfigureAwaitOptions.SuppressThrowing` with `Task<TResult>`](ca2261.md) | The `ConfigureAwaitOptions.SuppressThrowing` option isn't supported by the generic `Task<TResult>`, since that might lead to returning an invalid `TResult`. |
+| [CA2262: Set `MaxResponseHeadersLength` properly](ca2262.md) | Make sure the `MaxResponseHeadersLength` value is provided correctly. This value is measured in kilobytes. |

docs/navigate/tools-diagnostics/toc.yml

@@ -1375,6 +1375,8 @@ items:
                     href: ../../fundamentals/code-analysis/quality-rules/ca2260.md
                   - name: CA2261
                     href: ../../fundamentals/code-analysis/quality-rules/ca2261.md
+                  - name: CA2262
+                    href: ../../fundamentals/code-analysis/quality-rules/ca2262.md
           - name: Code style rules
             items:
               - name: Overview