FAQ-000186 - CSRF and DML Security Issues / DML Operations on Component Load

To resolve CSRF issues when DML operations occur automatically during component initialization: 1. **Avoid automatic DML operations**: Don't trigger state changes or DML operations during the initialization phase of a component. 2. **Use explicit user actions**: Trigger these operations through explicit user actions, like a button click. 3. **Enable `confirmationTokenRequired`**: For Visualforce pages, enable the `confirmationTokenRequired` attribute to ensure GET requests require a CSRF token in the URL. 4. **Perform access checks**: Always perform access checks, such as `isCreatable()`, before executing DML operations.

The FAQ content is accurate and well-structured, addressing the core CSRF issue effectively. I made minor wording improvements for clarity: changed 'Do not trigger' to 'Don't trigger' for a more conversational tone, and 'like a button click' remains unchanged as it's already appropriately conversational. These small refinements make the text more accessible while preserving all technical accuracy and completeness. Regarding security rules selected: - **ApexCSRF**: This rule directly relates to the FAQ's core topic of resolving CSRF issues. The FAQ specifically addresses 'CSRF issues' in both the question and answer, and provides solutions like using explicit user actions and confirmationTokenRequired attribute. - **ApexCRUDViolation**: This rule is relevant because the FAQ mentions performing access checks like 'isCreatable()' before executing DML operations, which is exactly what this rule helps detect - violations of CRUD permissions in Apex code. - **VfCsrf**: This rule specifically applies to the FAQ content that mentions 'For Visualforce pages, enable the confirmationTokenRequired attribute to ensure GET requests require a CSRF token in the URL' - this is directly about Visualforce CSRF protection.