FAQ-000181 - CSRF and DML Security Issues / DML Operations on Component Load

Performing DML operations during component initialization is generally not recommended, even for admin-level configuration checks, due to potential security vulnerabilities like bypassing Salesforce's default CSRF protection. State changes or DML operations triggered on page instantiation execute before the rest of the page loads, making them vulnerable. Instead, it's advisable to trigger such operations through explicit user actions, such as button clicks, to ensure proper security measures are in place.

The answer content is accurate and well-structured, but contains a minor stylification issue with the contraction 'it is' instead of 'it's' which goes against the conversational tone guidelines. The FAQ correctly identifies CSRF vulnerabilities as the primary security concern when performing DML operations during component initialization and provides appropriate guidance to use explicit user actions instead. For ApexCSRF rule: This rule detects Cross-Site Request Forgery vulnerabilities in Apex code, which directly relates to the FAQ's discussion of 'bypassing Salesforce's default CSRF protection' when performing DML operations during component initialization. The FAQ explains exactly the vulnerability this rule is designed to catch. For VfCsrf rule: This rule identifies CSRF vulnerabilities in Visualforce pages, which is relevant to the FAQ's guidance about component initialization and the recommendation to use explicit user actions like 'button clicks' to trigger DML operations safely in web components.