FAQ-000202 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

To evaluate CSRF vulnerabilities when no DML operations occur on component load: 1. Ensure all state changes or actions are explicitly triggered by user actions, like button clicks. 2. For Visualforce pages, confirm the `confirmationTokenRequired` attribute is set to `true` to enforce CSRF protection. 3. For Lightning components, avoid performing state changes or DML operations during component instantiation and follow secure coding practices. These steps help ensure CSRF vulnerabilities are properly addressed even without DML operations on load.

The FAQ content is well-structured and technically accurate. No significant issues were found that require content changes - the advice about user-triggered actions, confirmationTokenRequired attribute, and Lightning component best practices is sound and current. The original answer effectively addresses the core question about CSRF evaluation when no DML operations occur on load. For the selected security rules: **ApexCSRF**: This rule directly relates to the FAQ's focus on CSRF vulnerability evaluation. The FAQ discusses ensuring state changes are user-triggered and following secure coding practices, which aligns with this rule's purpose of detecting potential CSRF vulnerabilities in Apex code. The FAQ's emphasis on explicit user actions (like button clicks) directly supports the security concerns this rule addresses. **VfCsrf**: This rule is highly relevant as the FAQ specifically mentions Visualforce pages and the `confirmationTokenRequired` attribute. The FAQ's recommendation to "confirm the confirmationTokenRequired attribute is set to true to enforce CSRF protection" directly corresponds to what this Visualforce CSRF security rule evaluates. This rule specifically focuses on CSRF protection in Visualforce pages, which is explicitly covered in point 2 of the FAQ answer.