FAQ-000177 - CSRF and DML Security Issues / DML Operations on Component Load

Yes, performing a DML operation on page load, even for analytics or user tracking purposes, is considered a CSRF vulnerability. This is because state changes or DML operations triggered on page instantiation bypass the platform's default CSRF protection. To mitigate this, trigger such operations through explicit user actions, like a button click, or enable the `confirmationTokenRequired` attribute for Visualforce pages.

The original answer was well-structured but contained one minor wording issue that reduced clarity. The phrase 'it's recommended to trigger' was changed to 'trigger' to be more direct and actionable, following the brand guidelines to use active voice and be concise. This change makes the mitigation advice clearer and more definitive. The ApexCSRF rule was selected because it directly detects CSRF vulnerabilities in Apex code where DML operations lack proper CSRF protection, which is exactly what this FAQ discusses - the vulnerability of performing DML operations on page load without CSRF safeguards. The VfCsrf rule was selected because it specifically addresses CSRF vulnerabilities in Visualforce pages and the FAQ explicitly mentions the `confirmationTokenRequired` attribute for Visualforce pages as a mitigation strategy, which directly relates to this rule's purpose of ensuring proper CSRF protection in Visualforce contexts.