FAQ-000207 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How can I properly implement CSRF protection when standard solutions don't work for all use cases?
Answer
When standard CSRF protection solutions don't work for all use cases in Salesforce, you can try these approaches: 1. **Visualforce Pages**: - Enable the `confirmationTokenRequired` attribute in the Visualforce page settings. This ensures GET requests require a CSRF token in the URL, making the page inaccessible without it. Configure this in your org's Visualforce page settings. 2. **Lightning Components (LWC/Aura)**: - Avoid performing state changes or DML operations during component instantiation (e.g., in `connectedCallback` or `renderedCallback`). Instead, trigger these operations through explicit user actions, like button clicks. 3. **Custom Solutions**: - Implement user interaction for any redirection and use token-based authentication to validate redirection requests. This adds an extra layer of security. - Use CSRF tokens and ensure the `confirmationTokenRequired` attribute is set to "True." - Add user interaction, like requiring a button click, before initiating any redirection or DML operations. - Enable authentication by tokens to validate redirections and ensure they are legitimate. 4. **General Best Practices**: - Protect all form requests and state-changing operations by requiring user actions to trigger them. Avoid executing DML operations in constructors or automatically initiated methods. - Review and update your code to ensure all user interactions are secure and properly validated. For more detailed guidance, refer to Salesforce's Secure Server-Side Development module and the Metadata API Developer Guide. If standard solutions don't address your specific needs, you should open a case with Salesforce Support for tailored guidance.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCSRFVfCsrf
Question
How can I properly implement CSRF protection when standard solutions don't work for all use cases?
Recommended Answer Update
When standard CSRF protection solutions don't work for all use cases in Salesforce, you can try these approaches: 1. **Visualforce Pages**: - Enable the `confirmationTokenRequired` attribute in the Visualforce page settings. This ensures GET requests require a CSRF token in the URL, making the page inaccessible without it. Configure this in your org's Visualforce page settings. 2. **Lightning Components (LWC/Aura)**: - Avoid performing state changes or DML operations during component instantiation (e.g., in `connectedCallback` or `renderedCallback`). Instead, trigger these operations through explicit user actions, like button clicks. 3. **Custom Solutions**: - Implement user interaction for any redirection and use token-based authentication to validate redirection requests. This adds an extra layer of security. - Use CSRF tokens and ensure the `confirmationTokenRequired` attribute is set to "True." - Add user interaction, like requiring a button click, before initiating any redirection or DML operations. - Enable authentication by tokens to validate redirections and ensure they're legitimate. 4. **General Best Practices**: - Protect all form requests and state-changing operations by requiring user actions to trigger them. Avoid executing DML operations in constructors or automatically initiated methods. - Review and update your code to ensure all user interactions are secure and properly validated. For more detailed guidance, refer to Salesforce's Secure Server-Side Development module and the Metadata API Developer Guide. If standard solutions don't address your specific needs, contact Salesforce Support for tailored guidance.
Reasoning
The answer is well-structured and covers important CSRF protection concepts. The main improvement needed is in the tone and style to align with the conversational brand guidelines. I changed "you should open a case with Salesforce Support" to "contact Salesforce Support" to be more direct and concise, following the guideline to use fewer words while maintaining clarity. The rest of the content is accurate and comprehensive. For security rules selection: - ApexCSRF: This rule directly relates to the FAQ's core topic of CSRF protection in Apex code. The FAQ discusses avoiding DML operations in constructors and automatically initiated methods, which is exactly what this rule detects - CSRF vulnerabilities in Apex classes. - VfCsrf: This rule is highly relevant as the FAQ specifically discusses Visualforce pages and the confirmationTokenRequired attribute, which is the primary mechanism this rule checks for CSRF protection in Visualforce.
Reasoning References