FAQ-000199 - CSRF and DML Security Issues / DML Operations on Component Load

To address CSRF vulnerabilities in Lightning Web Components when DML operations are triggered from lifecycle hooks: 1. Avoid performing state changes or DML operations directly in lifecycle hooks like `connectedCallback()` or `renderedCallback()`. 2. Instead, trigger these operations explicitly through user actions, like a button click, to ensure the platform's CSRF protection mechanisms are properly engaged. 3. Use Apex methods with appropriate security decorators (`@AuraEnabled(cacheable=false)`) for DML operations called from Lightning Web Components.

The original answer was too generic and didn't provide specific guidance about Lightning Web Components or the technical mechanisms involved. The recommended updates improve clarity by: 1. **Specificity improvement:** Added specific lifecycle hooks (`connectedCallback()`, `renderedCallback()`) that developers commonly use, making the guidance more actionable 2. **Technical clarity:** Clarified what "component's instantiation" means in practical terms 3. **Implementation guidance:** Added specific mention of `@AuraEnabled(cacheable=false)` decorator which is the proper way to expose Apex methods for DML operations from LWC Regarding the ApexCSRF rule selection: This rule directly relates to the FAQ's core topic of preventing CSRF vulnerabilities in Apex code. The FAQ discusses how DML operations triggered from lifecycle hooks can bypass CSRF protections, and the ApexCSRF rule is specifically designed to detect situations where Apex methods might be vulnerable to CSRF attacks. The FAQ's guidance about triggering operations through explicit user actions aligns with the CSRF protection mechanisms that this rule helps enforce. The rule helps identify code patterns where CSRF tokens might not be properly validated, which is exactly the vulnerability scenario described in this FAQ.