FAQ-000187 - CSRF and DML Security Issues / DML Operations on Component Load

Exceptions for performing DML on load are generally not recommended in Salesforce security reviews due to potential vulnerabilities, like automated actions being triggered without user interaction. However, if the DML operation is necessary for one-time configuration or admin-level checks, you must implement proper safeguards: - Enable "Requires CSRF protection on GET requests" or set `ConfirmationTokenRequired` to true. - Prefer manual interaction, such as requiring a button click, to ensure secure execution.

The FAQ content is accurate and well-structured, addressing the core security concern of CSRF vulnerabilities when performing DML on component load. The recommendations provided align with Salesforce security best practices. No major changes are needed as the content already covers the essential safeguards. I selected two security rules that directly relate to this FAQ's content: ApexCSRF and VfCsrf. The ApexCSRF rule (severity 1) detects potential CSRF vulnerabilities in Apex code, which is exactly what this FAQ addresses when discussing DML operations triggered on component load without proper protection. The VfCsrf rule (severity 2) identifies CSRF issues in Visualforce pages, which is also relevant since the FAQ discusses GET request protection and confirmation tokens that apply to Visualforce scenarios. Both rules validate the security concerns raised in this FAQ about automated actions being triggered without user interaction.