FAQ-000184 - CSRF and DML Security Issues / DML Operations on Component Load

Methods called on page load can trigger CSRF violation flags during security review if they perform state changes or DML operations. These operations bypass the platform's default CSRF protection when executed on page instantiation. To mitigate this: - Enable the `confirmationTokenRequired` attribute for Visualforce pages. - Avoid performing such operations in Apex controllers during instantiation for Lightning or LWC. - Instead, trigger state changes through user actions, like button clicks.

The FAQ content is accurate and well-structured, but I made one minor improvement to enhance clarity. I changed 'state change or DML operations' to 'state changes or DML operations' for better grammatical flow. The FAQ correctly identifies that methods performing state changes or DML operations on page load can trigger CSRF violations and provides appropriate mitigation strategies. I selected ApexCSRF because this rule directly identifies CSRF vulnerabilities in Apex code, which is exactly what the FAQ discusses when it mentions 'methods called on page load' that 'perform state changes or DML operations' and how they 'bypass the platform's default CSRF protection.' I selected VfCsrf because the FAQ specifically recommends enabling the 'confirmationTokenRequired attribute for Visualforce pages' as a mitigation strategy, and VfCsrf is the Visualforce-specific CSRF security rule that would flag missing CSRF protection in Visualforce pages.