FAQ-000212 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

The key elements of a CSRF attack to look for in your code include: 1. **Automatic State Changes or DML Operations**: Operations triggered automatically on page load, such as in Visualforce pages, Lightning components, or Aura components. 2. **Missing CSRF Token Validation**: Lack of CSRF token validation, especially when `confirmationTokenRequired` is not enabled for Visualforce pages. 3. **Apex Controller Vulnerabilities**: Methods in Apex controllers that execute state changes or DML operations during instantiation without user interaction. 4. **Exploitable URL Parameters**: Vulnerabilities in URL parameters that allow attackers to craft malicious URLs to execute unintended database actions. 5. **No User Action Triggers**: Absence of user action triggers, like button clicks, to securely initiate state changes or DML operations. To mitigate these risks, implement proper CSRF token validation, avoid automatic execution of sensitive operations, and ensure user actions are validated before performing state changes.

The FAQ content is accurate and well-structured, covering the essential elements of CSRF vulnerabilities that developers should identify in their code. I selected two security rules that directly relate to the CSRF vulnerabilities discussed: 1. **ApexCSRF rule**: This rule specifically detects CSRF vulnerabilities in Apex code, which directly corresponds to points 3, 4, and 5 in the FAQ about Apex controller vulnerabilities, exploitable URL parameters, and the need for user action triggers. The FAQ's discussion of methods executing state changes during instantiation and URL parameter vulnerabilities aligns perfectly with what this rule detects. 2. **VfCsrf rule**: This rule focuses on CSRF vulnerabilities in Visualforce pages, which directly relates to points 1 and 2 in the FAQ about automatic operations on page load and missing CSRF token validation in Visualforce pages. The FAQ's specific mention of `confirmationTokenRequired` for Visualforce pages directly corresponds to what this rule validates. The answer content is comprehensive and current - no updates were needed to the technical information as it accurately reflects current CSRF prevention practices. The mitigation strategies mentioned (CSRF token validation, avoiding automatic execution, validating user actions) are the standard approaches for preventing CSRF attacks in Salesforce applications.