FAQ-000168 - CSRF and DML Security Issues / DML Operations on Component Load

To perform a DML operation on component load without introducing a CSRF risk in Salesforce: - **Avoid DML on Initialization**: Don't execute DML operations during the initialization of a component or page. - **Trigger via User Action**: Instead, trigger the DML operation through a user action, such as a button click. - **Enable CSRF Token Requirement**: For Visualforce pages, enable the `confirmationTokenRequired` attribute to ensure GET requests require a CSRF token, reducing the risk.

The original answer was well-structured and accurate, but contained minor wording improvements that enhance clarity and conciseness. The changes made were: 1) Changed 'Do not execute' to 'Don't execute' for a more conversational tone, 2) Removed redundant 'such as a button click' phrase that appeared twice in the bullet point structure. These changes maintain all the original technical content and advice while making the text flow more naturally. For security rules selected: - ApexCSRF: This rule directly relates to the FAQ's core topic of preventing CSRF vulnerabilities when performing DML operations. The FAQ specifically addresses how to avoid CSRF risks through proper implementation patterns, which is exactly what this rule detects and prevents. - VfCsrf: This rule is highly relevant because the FAQ explicitly mentions Visualforce pages and the `confirmationTokenRequired` attribute as a solution for CSRF protection. The rule specifically covers CSRF vulnerabilities in Visualforce pages, making it directly applicable to the FAQ's recommended solution.