FAQ-000191 - CSRF and DML Security Issues / DML Operations on Component Load

A DML operation that creates empty records on page load is not considered a false positive for a CSRF vulnerability in Salesforce. These operations bypass the platform's default CSRF protection because they're triggered automatically during page instantiation without user interaction, making them inherently vulnerable. To mitigate this: - Remove the DML operation from the page load - Implement user interaction, like a button click, to trigger the operation - Enable the `confirmationTokenRequired` setting on the Visualforce page for additional protection

The FAQ content is technically accurate and addresses a legitimate CSRF security concern. The main improvement made was converting the formal 'they are triggered' to the more conversational 'they're triggered' to align with the brand and tone guidelines that specify using contractions for a more natural, conversational style. The structure and all key points were preserved. I selected ApexCSRF because this FAQ directly addresses CSRF vulnerabilities in Apex code context, specifically discussing DML operations that bypass CSRF protection mechanisms. The FAQ explains the core concept that ApexCSRF detects - operations that can be vulnerable to cross-site request forgery attacks. I selected VfCsrf because the FAQ mentions Visualforce pages and the `confirmationTokenRequired` setting, which is directly related to Visualforce CSRF protection mechanisms. The VfCsrf rule detects CSRF vulnerabilities in Visualforce pages, and this FAQ provides guidance on how to properly implement CSRF protection in that context.