FAQ-000200 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How do I address CSRF vulnerabilities in my application?
Answer
To address CSRF vulnerabilities in your application, follow these steps: 1. **Enable CSRF Protection**: For Visualforce pages, set the `confirmationTokenRequired` attribute to `true`. This ensures GET requests require a CSRF token in the URL, preventing unauthorized access. 2. **Trigger State Changes with User Actions**: Avoid performing state changes or DML operations during page or component initialization. Require explicit user actions, like button clicks, to trigger these operations. 3. **Use Secure Coding Practices**: Protect all form requests and state change operations with CSRF tokens. For Lightning Web Components, avoid triggering state changes during instantiation. 4. **Validate Redirections**: Prevent open redirects by using hardcoded URLs or validating user-controlled parameters before redirection. 5. **Repackage and Resubmit**: If vulnerabilities are found, fix them, perform a security scan, and repackage the application for submission. These measures will help mitigate CSRF vulnerabilities and improve your application's security.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCSRFVfCsrfApexOpenRedirect
Question
How do I address CSRF vulnerabilities in my application?
Recommended Answer Update
To address CSRF vulnerabilities in your application, follow these steps: 1. **Enable CSRF Protection**: For Visualforce pages, set the `confirmationTokenRequired` attribute to `true`. This ensures GET requests require a CSRF token in the URL, preventing unauthorized access. 2. **Trigger State Changes with User Actions**: Avoid performing state changes or DML operations during page or component initialization. Require explicit user actions, like button clicks, to trigger these operations. 3. **Use Secure Coding Practices**: Protect all form requests and state change operations with CSRF tokens. For Lightning Web Components, avoid triggering state changes during instantiation. 4. **Validate Redirections**: Prevent open redirects by using hardcoded URLs or validating user-controlled parameters before redirection. 5. **Repackage and Resubmit**: If vulnerabilities are found, fix them, perform a security scan, and repackage the application for submission. These measures will help mitigate CSRF vulnerabilities and improve your application's security.
Reasoning
The FAQ content is accurate and covers key CSRF protection strategies. No significant changes are needed as the existing content aligns well with security best practices. The answer structure is clear and actionable. I selected three security rules that directly relate to the FAQ content: ApexCSRF relates to the general CSRF protection guidance and the advice about avoiding state changes during initialization (the rule flags DML operations in constructors/getters which aligns with the FAQ's advice about requiring explicit user actions). VfCsrf relates to the specific Visualforce guidance about confirmationTokenRequired attribute mentioned in step 1. ApexOpenRedirect relates to the validation of redirections guidance in step 4, which specifically mentions preventing open redirects through URL validation. Each rule corresponds to specific technical advice provided in the FAQ answer.
Reasoning References