Are CSRF tokens required for external API servers that only receive GET requests from Salesforce applications?
Answer
CSRF tokens are not required for external API servers that only receive GET requests from Salesforce applications. However, it is recommended to validate the requests to ensure they are legitimate and secure.
Are CSRF tokens required for external API servers that only receive GET requests from Salesforce applications?
Recommended Answer Update
CSRF tokens are not required for external API servers that only receive GET requests from Salesforce applications. However, it's recommended to validate the requests to ensure they're legitimate and secure.
Reasoning
The FAQ content is accurate and addresses CSRF token requirements appropriately. The only minor improvement needed is replacing 'it is recommended' with the more conversational 'it's recommended' to align with the brand guidelines of using contractions and maintaining a conversational tone. No outdated content was detected as the core security principle remains valid - CSRF tokens are indeed not required for GET requests since they don't change server state, but validation is still a good practice.
For ApexCSRF rule: This rule is relevant because the FAQ discusses CSRF token requirements, which is exactly what the ApexCSRF rule addresses. The FAQ content about 'CSRF tokens are not required for external API servers that only receive GET requests' directly relates to CSRF protection concepts that this rule would flag when missing.
For VfCsrf rule: This rule is relevant because it also deals with CSRF protection, specifically in Visualforce contexts. The FAQ's discussion of 'CSRF tokens are not required for external API servers that only receive GET requests from Salesforce applications' relates to the broader CSRF security concepts that this rule addresses, as Salesforce applications often include Visualforce components that make external requests.