FAQ-000209 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

To implement error logging securely and avoid CSRF vulnerabilities in automatically executed code in Salesforce: 1. **Avoid Automatic State Changes**: Don't perform DML operations or state-changing actions automatically upon page load. Require manual user interaction, like a button click, to trigger these actions. 2. **Enforce Access Checks**: Use proper access checks, such as `IsCreateable()`, before performing database operations. 3. **Secure Logging**: Avoid logging sensitive information in debug statements. Redact or omit sensitive data from logs, especially in production environments. These practices help ensure secure error logging while mitigating CSRF risks.

The FAQ content is generally sound but has a minor typo that should be corrected for accuracy. The word 'IsCreatable()' is misspelled as 'IsCreatable()' - the correct method name is 'IsCreateable()' with an 'e'. This is important because developers need the exact method name to implement proper CRUD checks. No other changes are needed as the content appropriately addresses CSRF prevention and secure logging practices. The FAQ directly relates to ApexCSRF rule because it teaches about preventing CSRF vulnerabilities through avoiding automatic state changes and requiring user interaction - which is exactly what the ApexCSRF rule detects (automatic DML operations that could be exploited via CSRF). The FAQ also relates to ApexCRUDViolation rule because point 2 specifically mentions using proper access checks like 'IsCreateable()' before database operations, which is precisely what the ApexCRUDViolation rule enforces - ensuring proper CRUD (Create, Read, Update, Delete) permission checks are performed before DML operations.