FAQ-000188 - CSRF and DML Security Issues / DML Operations on Component Load

To address CSRF vulnerabilities when components create default records automatically: 1. **Avoid automatic DML operations**: Don't perform state changes or DML operations during component initialization. 2. **Use explicit user actions**: Trigger record creation through user actions, like a button click. 3. **Enable `confirmationTokenRequired`**: For Visualforce pages, enable this setting to ensure GET requests require a CSRF token in the URL. 4. **Check Apex controllers**: For Lightning components, ensure no state changes or DML operations are executed during initialization. These steps help mitigate CSRF risks effectively.

The FAQ content is accurate and addresses CSRF vulnerabilities appropriately. I made minor wording improvements for clarity: 1. Changed "state change or DML operations" to "state changes or DML operations" for better readability in points 1 and 4 2. Changed "Do not perform" to "Don't perform" to align with the conversational tone guidelines These changes maintain all existing points and information while improving the conversational flow of the text. Regarding security rules selected: **ApexCSRF**: This rule is directly relevant because the FAQ discusses CSRF vulnerabilities in Apex controllers. The FAQ specifically mentions "Check Apex controllers" and avoiding "state changes or DML operations during initialization" which directly relates to CSRF prevention in Apex code that this rule addresses. **VfCsrf**: This rule is directly relevant because the FAQ specifically mentions Visualforce pages and the `confirmationTokenRequired` setting. Point 3 in the FAQ states "For Visualforce pages, enable this setting to ensure GET requests require a CSRF token in the URL" which directly corresponds to CSRF protection mechanisms that this Visualforce CSRF rule addresses.