FAQ-000192 - CSRF and DML Security Issues / DML Operations on Component Load

To prevent CSRF vulnerabilities when performing DML operations in component lifecycle methods like `connectedCallback`: 1. **Avoid automatic DML operations**: Don't execute state changes or DML operations during the component's initialization phase. 2. **Use explicit user actions**: Trigger these operations through user actions, such as a button click, to leverage Salesforce's built-in CSRF safeguards. 3. **Enable `confirmationTokenRequired`**: For Visualforce pages, enable this setting to require a CSRF token for GET requests.

The FAQ content is accurate and well-structured, but some minor improvements enhance clarity and consistency. I replaced "Do not execute" with "Don't execute" for a more conversational tone per the guidelines. The three main points remain intact and provide solid CSRF prevention guidance. For security rules selection: - ApexCSRF: This rule directly relates to the FAQ's core topic of preventing CSRF vulnerabilities in Apex code. The FAQ specifically addresses DML operations in component lifecycle methods, which is exactly what this PMD rule detects - automatic DML operations that bypass CSRF protections. - VfCsrf: This rule is relevant because the FAQ mentions Visualforce pages and the `confirmationTokenRequired` setting, which is specifically what this PMD rule checks for to prevent CSRF attacks in Visualforce contexts.