FAQ-000193 - CSRF and DML Security Issues / DML Operations on Component Load

Yes, an `@AuraEnabled` Apex method that performs a DML operation on page load will be flagged as a CSRF vulnerability in Salesforce. This is because such operations bypass the platform's default CSRF protection when triggered on page instantiation. To mitigate this: - Avoid performing state changes or DML operations during the initialization of Lightning components or Visualforce pages. - Trigger these operations through explicit user actions, like a button click. - Enable the `confirmationTokenRequired` attribute for Visualforce pages to enhance protection.

The FAQ content directly relates to the ApexCSRF rule, which identifies CSRF vulnerabilities in Apex code. The FAQ explains the specific scenario where @AuraEnabled methods performing DML operations on page load create CSRF vulnerabilities, which is exactly what the ApexCSRF rule is designed to detect. The FAQ content about DML operations being triggered without explicit user interaction and bypassing CSRF protection aligns with the security concerns that the ApexCSRF rule addresses. No significant content updates were needed as the information is accurate and well-structured, following the security best practices for preventing CSRF vulnerabilities in Salesforce applications.