FAQ-000172 - CSRF and DML Security Issues / DML Operations on Component Load

To address CSRF vulnerabilities in quick action components that require immediate DML operations: 1. **Avoid Automatic DML Operations**: Don't perform state changes or DML operations during the component's initialization. Instead, trigger these operations through explicit user actions, like a button click. 2. **Use Confirmation Tokens**: Implement CSRF protection by using confirmation tokens. For Visualforce pages, enabling the `confirmationTokenRequired` metadata field ensures that GET requests require a CSRF token in the URL, preventing unauthorized access. 3. **Follow Secure Coding Practices**: For Lightning components, ensure secure coding practices are followed and avoid automatic DML operations during instantiation. Let me know if you need further clarification!

The FAQ content is accurate and addresses an important security concern. I made minor wording improvements for better clarity and conciseness: changed "Do not perform" to "Don't perform" for a more conversational tone per the brand guidelines. The technical content remains accurate and complete. For security rules selection: - **ApexCSRF**: This rule directly relates to the FAQ's core topic of addressing CSRF vulnerabilities. The FAQ discusses CSRF protection strategies including avoiding automatic DML operations and using confirmation tokens, which aligns with what this rule detects and prevents. - **VfCsrf**: This rule is specifically mentioned in the FAQ content when discussing Visualforce pages and the `confirmationTokenRequired` metadata field. The FAQ explicitly covers Visualforce CSRF protection mechanisms that this rule addresses.