FAQ-000220 - CSRF and DML Security Issues / Managed Package CSRF Considerations

The most common causes of CSRF violations in managed packages include: 1. Performing state changes or DML operations during the initialization of Visualforce pages, Lightning components, or Apex controllers without requiring user interaction (e.g., button clicks). 2. Failing to enable the `confirmationTokenRequired` metadata field in Visualforce pages, which ensures GET requests require a CSRF token in the URL. 3. Using JavaScript actions that bypass built-in CSRF protection in Visualforce. 4. Not implementing random and high-entropy CSRF tokens for session validation. 5. Allowing automatic execution of page actions that perform sensitive operations without user confirmation.

The existing FAQ content is accurate and comprehensive, covering the main CSRF violation causes in managed packages. I made one minor improvement by removing redundancy in point 4 - the phrase "for session validation" was redundant since CSRF tokens inherently validate requests/sessions by design. The content aligns well with security best practices and doesn't conflict with any rule information. I selected ApexCSRF because this FAQ directly addresses CSRF violations in Apex code contexts, explaining when DML operations and state changes in controllers lead to CSRF issues. The FAQ's point 1 specifically covers performing state changes in Apex controllers without user interaction, which is exactly what this rule detects. I selected VfCsrf because this FAQ extensively covers Visualforce-specific CSRF issues. Point 2 explicitly mentions the confirmationTokenRequired metadata field for Visualforce pages, and point 3 discusses JavaScript actions bypassing CSRF protection in Visualforce - both of which are core concerns that the VfCsrf rule addresses.