FAQ-000198 - CSRF and DML Security Issues / DML Operations on Component Load

Yes, executing a SOQL query or an API callout in a Visualforce page's action method is considered a state-changing operation and requires CSRF protection. To mitigate this, enable the `confirmationTokenRequired` attribute in the Visualforce page settings. This ensures that GET requests to the page require a CSRF token in the URL, preventing unauthorized state changes.

The original answer is technically accurate and well-structured. No significant changes are needed as the content correctly identifies SOQL queries and API callouts in action methods as state-changing operations requiring CSRF protection, and provides the correct mitigation using the `confirmationTokenRequired` attribute. The language is clear and concise, following the brand guidelines for being direct and conversational. The answer appropriately focuses on the security requirement without unnecessary verbosity. Regarding security rules: ApexCSRF is recommended because this FAQ directly addresses CSRF vulnerabilities in Apex code, specifically in the context of Visualforce action methods that perform SOQL queries or API callouts. The FAQ's core content about preventing unauthorized state changes through CSRF tokens aligns with what this rule detects. VfCsrf is recommended because this FAQ specifically discusses Visualforce CSRF protection using the `confirmationTokenRequired` attribute, which is exactly what this Visualforce security rule addresses - detecting missing CSRF protections in Visualforce pages.