FAQ-000222 - CSRF and DML Security Issues / Managed Package CSRF Considerations

To implement CSRF protection in custom form wizards within managed packages: 1. **Enable `confirmationTokenRequired`**: Set the `confirmationTokenRequired` metadata field to `true` in the Visualforce page. This ensures that GET requests require a CSRF token in the URL, and the page becomes inaccessible without it. 2. **Avoid Auto-Initiated Operations**: Don't perform state changes or DML operations during page initialization. Instead, require explicit user actions, like button clicks, to trigger these operations. For more details, refer to the Salesforce Metadata API Developer Guide and the Secure Server-Side Development module on Trailhead.

I made minimal improvements to enhance clarity and readability while preserving all existing content and structure: 1. Changed 'Do not perform' to 'Don't perform' to align with the conversational tone guidelines 2. All technical information and recommendations remain identical 3. The structure, length, and level of detail are preserved 4. No content was removed or added Regarding the related security rules: **ApexCSRF**: This rule directly relates to the FAQ's core topic of implementing CSRF protection. The FAQ specifically discusses 'CSRF protection in custom form wizards' and provides guidance on preventing CSRF attacks through proper token handling and avoiding auto-initiated operations - exactly what this rule addresses. **VfCsrf**: This rule is highly relevant as the FAQ specifically mentions 'confirmationTokenRequired' metadata field in Visualforce pages and discusses GET request protection with CSRF tokens. The entire answer focuses on Visualforce-specific CSRF protection mechanisms, which aligns directly with this rule's purpose of detecting CSRF vulnerabilities in Visualforce pages.