FAQ-000214 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

Common causes of Cross-Site Request Forgery (CSRF) vulnerabilities in applications include: 1. Lack of CSRF token implementation or using tokens with insufficient entropy. 2. Performing state-changing or data manipulation operations (e.g., DML) during page initialization, such as in constructors or methods triggered automatically. 3. Absence of user action to trigger state changes, like button clicks or form submissions. 4. Failure to validate or authenticate requests that carry privileged actions. 5. Using deprecated or insecure methods that bypass default CSRF protections. To mitigate these vulnerabilities, ensure secure CSRF tokens, validate user actions, and implement proper authentication and authorization mechanisms.

The FAQ content is accurate and comprehensive, covering the main causes of CSRF vulnerabilities. No significant changes are needed as the content aligns well with security best practices. The only minor improvement made was to enhance the flow by removing redundant phrasing in the mitigation sentence while preserving all the essential information. Regarding the related security rules: ApexCSRF rule is directly relevant because the FAQ discusses CSRF vulnerabilities in applications, and this rule specifically detects CSRF issues in Apex code. The FAQ content about "performing state-changing or data manipulation operations during page initialization" and "absence of user action to trigger state changes" directly relates to what the ApexCSRF rule identifies - DML operations in constructors or methods that execute without explicit user actions. VfCsrf rule is also highly relevant because the FAQ covers general CSRF prevention, and Visualforce pages are a common attack vector for CSRF vulnerabilities in Salesforce applications. The FAQ's discussion of "lack of CSRF token implementation" and "failure to validate requests" directly corresponds to issues the VfCsrf rule identifies in Visualforce components.