FAQ-000195 - CSRF and DML Security Issues / DML Operations on Component Load

To prevent CSRF vulnerabilities on a Visualforce page that performs an action upon loading: 1. Avoid performing state changes or DML operations during page initialization. 2. Enable the `confirmationTokenRequired` attribute in the Visualforce page settings. This ensures that GET requests to the page require a CSRF token in the URL, preventing unauthorized access. 3. Trigger state changes explicitly through user actions, like button clicks, instead of automatically on page load. For more details, refer to the ApexPage in the Metadata API Developer Guide.

The FAQ content is accurate and well-structured, addressing CSRF prevention on Visualforce pages that perform actions on load. No significant changes are needed as the advice is current and follows security best practices. The content aligns with modern security approaches by recommending avoiding state changes during initialization and using proper CSRF protection mechanisms. For security rules selection: I recommended ApexCSRF because this FAQ directly discusses CSRF vulnerabilities and prevention techniques in Apex/Visualforce context. The FAQ's core content about preventing CSRF attacks through proper token handling and avoiding state changes on page load directly relates to what the ApexCSRF rule detects and prevents. I recommended VfCsrf because this FAQ specifically addresses CSRF vulnerabilities in Visualforce pages, which is exactly what the VfCsrf rule is designed to detect. The FAQ's discussion of the `confirmationTokenRequired` attribute and prevention of unauthorized access through GET requests directly corresponds to Visualforce-specific CSRF protection mechanisms that this rule evaluates.