FAQ-000206 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

To implement CSRF protection for your application's custom pages in Salesforce, follow these steps: 1. **For Visualforce Pages**: - Enable the `confirmationTokenRequired` attribute in the Visualforce page settings. When set to `true`, GET requests to the page require a CSRF token in the URL. Without the token, the page becomes inaccessible. Configure this in the Visualforce page settings in your org setup. 2. **For Lightning Components and LWC**: - Avoid performing state changes or DML operations in an Apex controller during the instantiation of Lightning or LWC components. Instead, trigger these operations through explicit user actions, like button clicks. 3. **General Practices**: - Ensure all form requests and state-changing operations are initiated by user actions. Avoid executing DML operations or state changes during page initialization, as this bypasses Salesforce's default CSRF protection. 4. **Token Validation**: - For custom implementations, validate the CSRF token to ensure it provides adequate protection against attacks. For more details, refer to Salesforce's secure coding guidelines and the Metadata API Developer Guide.

The FAQ content is largely accurate and covers the essential CSRF protection practices. I made one minor refinement in point 4 by removing the specific reference to 'entropy' validation, as this is more of an implementation detail that could be confusing without additional context. The change to 'validate the CSRF token to ensure it provides adequate protection' maintains the security guidance while being more accessible. All other content remains unchanged as it accurately reflects CSRF protection best practices. For security rules selection: - ApexCSRF: This rule directly relates to the FAQ's core topic of preventing CSRF vulnerabilities in Apex code. The FAQ specifically discusses avoiding DML operations during component instantiation and ensuring state changes are triggered by user actions, which aligns with this rule's purpose of detecting CSRF vulnerabilities in Apex controllers. - VfCsrf: This rule is highly relevant as the FAQ explicitly covers Visualforce CSRF protection, including the use of confirmationTokenRequired attribute and proper token handling for Visualforce pages, which is exactly what this rule addresses.