FAQ-000176 - CSRF and DML Security Issues / DML Operations on Component Load

To perform necessary DML operations during component load while meeting security requirements: 1. **Require User Interaction**: Implement a button or similar mechanism to trigger the DML operation instead of executing it automatically on component load. 2. **Enforce Access Checks**: Use proper access checks like `isCreateable()` and `isUpdateable()` before performing any DML operations. 3. **Enable CSRF Protection**: If the operation is unavoidable during component load, ensure CSRF protection is enabled. For example, set `ConfirmationTokenRequired=true` for Visualforce pages or apply equivalent measures in Lightning components. These steps help maintain security while allowing necessary operations.

The FAQ content is accurate and well-structured, addressing legitimate security concerns around DML operations during component load. No outdated content was detected. The answer appropriately covers user interaction requirements, access checks, and CSRF protection, which align with security best practices. Related security rules selected: 1. **ApexCSRF**: This rule directly relates to the FAQ's discussion of CSRF protection in point 3, where it mentions "ensure CSRF protection is enabled" and specifically references "ConfirmationTokenRequired=true for Visualforce pages." 2. **ApexCRUDViolation**: This rule corresponds to point 2 of the FAQ answer, which discusses enforcing access checks using "isCreateable()" and "isUpdateable()" before performing DML operations. 3. **VfCsrf**: This rule specifically applies to the Visualforce CSRF protection mentioned in point 3, where the FAQ explicitly mentions "set ConfirmationTokenRequired=true for Visualforce pages."