FAQ-000157 - CSRF and DML Security Issues / CSRF Token Implementation and Validation

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: What are the proper CSRF protection mechanisms and requirements beyond custom headers?

Answer: To ensure proper CSRF protection beyond custom headers, implement the following mechanisms: 1. **Enable `confirmationTokenRequired`**: For Visualforce pages, set the `confirmationTokenRequired` metadata field to `true`. This ensures GET requests to the page require a CSRF token in the URL, making the page inaccessible if the token is omitted. 2. **Avoid State Changes on Page Load**: Avoid performing state changes or DML operations in Apex controllers during page instantiation. Trigger state changes through explicit user actions, like button clicks. 3. **Use Random Tokens**: Generate completely random CSRF tokens with sufficient entropy and include them in requests. Validate these tokens on the server side. 4. **Session-Based Tokens**: Use a single CSRF token per session to reduce risk, as an attacker would need to guess the token within the session window. 5. **Authentication by Tokens**: For redirections or sensitive actions, ensure user interaction and validate the redirection using authentication tokens. 6. **Custom Metadata for Sensitive Information**: Store sensitive information, such as tokens, in custom metadata objects in protected mode to enhance security. 7. **Follow Secure Coding Practices**: Adhere to secure coding guidelines, such as validating user inputs and avoiding vulnerabilities like open redirects. These measures collectively enhance CSRF protection and mitigate associated risks.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Question: What are the proper CSRF protection mechanisms and requirements beyond custom headers?

Recommended Answer Update: To ensure proper CSRF protection beyond custom headers, implement the following mechanisms: 1. **Enable `confirmationTokenRequired`**: For Visualforce pages, set the `confirmationTokenRequired` metadata field to `true`. This ensures GET requests to the page require a CSRF token in the URL, making the page inaccessible if the token is omitted. 2. **Avoid State Changes on Page Load**: Don't perform state changes or DML operations in Apex controllers during page instantiation. Trigger state changes through explicit user actions, like button clicks. 3. **Use Random Tokens**: Generate completely random CSRF tokens with sufficient entropy and include them in requests. Validate these tokens on the server side. 4. **Session-Based Tokens**: Use a single CSRF token per session to reduce risk, as an attacker would need to guess the token within the session window. 5. **Authentication by Tokens**: For redirections or sensitive actions, ensure user interaction and validate the redirection using authentication tokens. 6. **Custom Metadata for Sensitive Information**: Store sensitive information, such as tokens, in custom metadata objects in protected mode to enhance security. 7. **Follow Secure Coding Practices**: Follow secure coding guidelines, such as validating user inputs and avoiding vulnerabilities like open redirects. These measures collectively enhance CSRF protection and mitigate associated risks.

Reasoning: Made minor improvements to enhance clarity and conciseness while preserving all content: 1. Changed 'Avoid performing' to 'Don't perform' in point 2 for more direct, conversational tone 2. Changed 'Adhere to' to 'Follow' in point 7 for simpler, more accessible language No outdated content was detected - all technical information remains current and accurate. Security rules selected: - **ApexCSRF**: This rule directly relates to the FAQ's core topic of CSRF protection mechanisms. The FAQ discusses CSRF token implementation, validation, and secure coding practices to prevent CSRF vulnerabilities, which is exactly what this rule detects and prevents. - **VfCsrf**: This rule specifically applies to the FAQ's discussion of Visualforce CSRF protection, particularly the `confirmationTokenRequired` metadata field mentioned in point 1. The FAQ explains proper Visualforce CSRF implementation, which this rule validates.

Reasoning References

Current FAQ