FAQ-000189 - CSRF and DML Security Issues / DML Operations on Component Load

No, performing a DML operation on component load isn't always considered a CSRF vulnerability. The key factor is whether the operation involves state-changing actions triggered without user intent. CSRF vulnerabilities occur when: - DML operations happen automatically on component initialization - State changes are triggered without explicit user actions - The platform's built-in CSRF protections are bypassed To avoid CSRF issues: - Trigger state changes or DML operations through explicit user actions, like a button click. - Enable the `confirmationTokenRequired` attribute for Visualforce pages to add an extra layer of protection.

The original answer contains a significant inaccuracy by stating that DML operations on component load are 'always' considered CSRF vulnerabilities. This is too absolute and doesn't reflect the nuanced nature of CSRF vulnerabilities. The updated answer corrects this by explaining that it depends on the specific context - whether state-changing actions occur without user intent. I selected the ApexCSRF rule because the FAQ directly discusses CSRF vulnerabilities in the context of DML operations, and this rule is specifically designed to detect Cross-Site Request Forgery vulnerabilities in Apex code. The FAQ's discussion of 'DML operations triggered during component instantiation' and 'bypassing platform's default CSRF protection' directly relates to what the ApexCSRF rule aims to detect and prevent.