FAQ-000194 - CSRF and DML Security Issues / DML Operations on Component Load

State-changing operations vulnerable to CSRF on component load occur when such operations are executed automatically during the initialization of a component. To mitigate this: - Avoid performing state changes or DML operations during component initialization. - Trigger state-changing actions explicitly through user interactions, like a button click. - For Visualforce pages, enable the `confirmationTokenRequired` attribute to require a CSRF token for GET requests. - For Lightning components, ensure no state-changing operations are executed during instantiation. These steps help prevent unauthorized actions and mitigate CSRF vulnerabilities.

The FAQ content is accurate and well-structured, covering the key aspects of CSRF vulnerabilities during component load. No significant changes were needed as the technical content aligns with security best practices and current guidelines. For security rules selected: 1. **ApexCSRF** - This rule directly relates to the FAQ's focus on CSRF vulnerabilities. The FAQ specifically discusses "CSRF on component load" and explains how "state-changing operations vulnerable to CSRF" occur during component initialization. The rule's purpose of detecting CSRF vulnerabilities in Apex code matches exactly with the FAQ's explanation of CSRF prevention techniques. 2. **VfCsrf** - This rule is highly relevant because the FAQ explicitly mentions Visualforce pages and the `confirmationTokenRequired` attribute as a mitigation technique. The FAQ states "For Visualforce pages, enable the `confirmationTokenRequired` attribute to require a CSRF token for GET requests," which directly corresponds to CSRF protection in Visualforce that this rule would detect violations of.