FAQ-000211 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: What are the complete range of solutions for addressing CSRF issues?

Answer: To address CSRF issues in applications, here's the complete range of solutions: 1. **Use CSRF Tokens**: Implement per-request or session-based CSRF tokens with sufficient entropy, and validate them on the server side. 2. **Enable `confirmationTokenRequired`**: For Visualforce pages, set the `confirmationTokenRequired` attribute to "true" to enforce token validation. 3. **Add User Interaction**: Require explicit user actions, like button clicks, before initiating state changes or DML operations. Avoid triggering such operations on page load. 4. **Avoid DML in Constructors or `init` Methods**: Refrain from performing database operations in methods automatically invoked during page initialization. 5. **Validate Redirections**: Use authentication tokens to ensure redirections are valid and secure. 6. **Eliminate Remote Site References**: Remove unnecessary remote site references from packaged code to reduce vulnerabilities. 7. **Follow Secure Coding Practices**: Adhere to secure coding guidelines, such as those in Salesforce's security review documentation, to prevent CSRF and other vulnerabilities. 8. **Conduct Thorough Testing**: Use tools like Checkmarx or CodeAnalyzer to identify and address potential CSRF risks across the application. Applying these measures consistently will help mitigate CSRF vulnerabilities effectively.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Question: What are the complete range of solutions for addressing CSRF issues?

Recommended Answer Update: To address CSRF issues in applications, here's the complete range of solutions: 1. **Use CSRF Tokens**: Implement per-request or session-based CSRF tokens with sufficient entropy, and validate them on the server side. 2. **Enable `confirmationTokenRequired`**: For Visualforce pages, set the `confirmationTokenRequired` attribute to "true" to enforce token validation. 3. **Add User Interaction**: Require explicit user actions, like button clicks, before initiating state changes or DML operations. Avoid triggering such operations on page load. 4. **Avoid DML in Constructors or `init` Methods**: Refrain from performing database operations in methods automatically invoked during page initialization. 5. **Validate Redirections**: Use authentication tokens to ensure redirections are valid and secure. 6. **Eliminate Remote Site References**: Remove unnecessary remote site references from packaged code to reduce vulnerabilities. 7. **Follow Secure Coding Practices**: Adhere to secure coding guidelines, such as those in Salesforce's security review documentation, to prevent CSRF and other vulnerabilities. 8. **Conduct Thorough Testing**: Use tools like Salesforce Code Analyzer to identify and address potential CSRF risks across the application. Applying these measures consistently will help mitigate CSRF vulnerabilities effectively.

Reasoning: The FAQ content is accurate and comprehensive. I made one minor update to align with current Salesforce tooling: replaced 'Checkmarx or CodeAnalyzer' with 'Salesforce Code Analyzer' to reflect the current recommended static analysis tool for Salesforce. This change improves accuracy by referencing the officially supported tool. For security rule associations: - **ApexCSRF**: This rule directly relates to the FAQ's core topic of preventing CSRF vulnerabilities in Apex code. The FAQ discusses avoiding DML in constructors and init methods, requiring user interaction before state changes, and other CSRF prevention measures that this rule would detect violations of. - **VfCsrf**: This rule specifically addresses CSRF issues in Visualforce pages. The FAQ explicitly mentions setting `confirmationTokenRequired` to "true" for Visualforce pages, which is exactly what this rule enforces and validates.

Reasoning References

Current FAQ