FAQ-000183 - CSRF and DML Security Issues / DML Operations on Component Load

To implement automatic metadata synchronization without triggering CSRF violations in Salesforce: - **Avoid Automatic State Changes**: Don't perform state changes or DML operations during the initialization of Apex controllers or Visualforce pages. - **Trigger Through User Actions**: Use explicit user actions, like button clicks, to initiate synchronization. - **Enable CSRF Protection**: For Visualforce pages, set `allowRemoteActions="false"` and use action methods instead of remote actions for state changes that require CSRF protection. - **Follow Secure Coding Practices**: For Lightning components, ensure no automatic state changes occur during component instantiation. These steps help maintain security while enabling metadata synchronization.

The main issue with the current answer is the mention of `confirmationTokenRequired` metadata field, which appears to be either outdated or incorrect. Modern Salesforce CSRF protection doesn't rely on a metadata field called `confirmationTokenRequired` that requires CSRF tokens in URLs for GET requests. Instead, CSRF protection is typically handled through proper use of action methods versus remote actions in Visualforce, and following secure patterns in Lightning components. I updated this technical detail to align with current best practices while preserving all other points. I selected ApexCSRF and VfCsrf rules because they directly relate to the FAQ's content about preventing CSRF violations. The ApexCSRF rule specifically detects when DML operations occur in controller constructors or getters (which relates to 'avoiding automatic state changes during initialization'). The VfCsrf rule addresses CSRF vulnerabilities in Visualforce pages, which directly matches the FAQ's discussion of enabling CSRF protection for Visualforce pages.