FAQ-000196 - CSRF and DML Security Issues / DML Operations on Component Load

The recommended way to trigger a server-side action from a component without user interaction is by using the `$A.enqueueAction()` method. This method queues the server-side controller action for execution. The framework processes the event chain and batches the queued actions into a single request. These actions are asynchronous and can include callbacks to handle the response. Important: When triggering server-side actions without user interaction (like on component load), ensure your server-side controller methods don't perform state-changing operations (DML) without proper CSRF protection. Use the `@AuraEnabled(cacheable=true)` annotation for read-only operations, or ensure state-changing operations have appropriate user interaction and validation.

The FAQ discusses triggering server-side actions from components without user interaction, which directly relates to CSRF (Cross-Site Request Forgery) security concerns. The original answer correctly explains the technical mechanism of `$A.enqueueAction()` but lacks important security guidance about CSRF protection when performing operations without user interaction. I added a security note about CSRF protection because triggering DML operations without user interaction can create CSRF vulnerabilities. The FAQ's category is 'CSRF and DML Security Issues' and subcategory is 'DML Operations on Component Load', which confirms this security concern is central to the question. For the ApexCSRF rule: This rule detects potential CSRF vulnerabilities in Apex code, specifically when @AuraEnabled methods perform DML operations that could be triggered without proper user interaction or CSRF protection. The FAQ content directly relates to this rule because it discusses triggering server-side actions (which would be @AuraEnabled methods) from components without user interaction, creating the exact scenario this CSRF rule is designed to detect and prevent.