FAQ-000173 - CSRF and DML Security Issues / DML Operations on Component Load

Visualforce pages with CSRF protection enabled can perform DML operations on page load if the `confirmationTokenRequired` attribute is set to true. This ensures that GET requests to the page require a CSRF token in the URL, preventing unauthorized access. However, it's recommended to avoid performing DML operations on page load and instead trigger them through explicit user actions, like button clicks, to enhance security.

The existing answer is accurate and well-structured, covering the key technical points about CSRF protection and DML operations. No significant changes are needed as the content correctly explains the confirmationTokenRequired attribute and provides appropriate security guidance. The rule associations are based on content that directly relates to CSRF protection mechanisms: ApexCSRF relates to the FAQ's discussion of CSRF protection in Visualforce pages and the security implications of performing DML operations on page load - the FAQ specifically mentions 'CSRF protection enabled' and 'CSRF token in the URL' which directly aligns with this rule's purpose of detecting CSRF vulnerabilities. VfCsrf relates to the FAQ's focus on Visualforce-specific CSRF protection mechanisms, particularly the confirmationTokenRequired attribute - the FAQ discusses Visualforce pages with CSRF protection and the specific attribute used to control it, which matches this rule's scope of Visualforce CSRF security.