FAQ-000224 - CSRF and DML Security Issues / Platform CSRF Protection

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How does the platform handle XSRF protection, and when do I need additional measures?
Answer
Salesforce provides built-in Cross-Site Request Forgery (CSRF) protection for all form requests made on the platform. State change operations like insert, delete, update, and upsert triggered by user actions (e.g., button clicks) are protected by default. However, additional measures are needed in specific scenarios: 1. **Visualforce Pages**: To protect against CSRF vulnerabilities when state change or DML operations execute on page initialization, enable the `confirmationTokenRequired` boolean metadata field in the Visualforce page settings. When set to `true`, GET requests to the page require a CSRF token in the URL, making the page inaccessible without the token. 2. **Lightning and LWC**: Avoid performing state change or DML operations in an Apex controller during the instantiation of Lightning or LWC components. Instead, trigger these operations through explicit user actions, like button clicks. These additional measures ensure CSRF vulnerabilities are mitigated in scenarios where default protections may not apply.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCSRFVfCsrf
Question
How does the platform handle XSRF protection, and when do I need additional measures?
Recommended Answer Update
Salesforce provides built-in Cross-Site Request Forgery (CSRF) protection for all form requests made on the platform. State change operations like insert, delete, update, and upsert triggered by user actions (e.g., button clicks) are protected by default. However, you'll need additional measures in specific scenarios: 1. **Visualforce Pages**: To protect against CSRF vulnerabilities when state change or DML operations execute on page initialization, enable the `confirmationTokenRequired` boolean metadata field in the Visualforce page settings. When set to `true`, GET requests to the page require a CSRF token in the URL, making the page inaccessible without the token. 2. **Lightning and LWC**: Avoid performing state change or DML operations in an Apex controller during the instantiation of Lightning or LWC components. Instead, trigger these operations through explicit user actions, like button clicks. These additional measures ensure CSRF vulnerabilities are mitigated in scenarios where default protections may not apply.
Reasoning
The FAQ content is accurate and well-structured. The main improvement was converting from formal documentation tone to a more conversational, user-friendly tone by changing 'However, additional measures are needed' to 'However, you'll need additional measures.' This aligns with the brand guidelines that emphasize using conversational language and writing from the user's perspective. The technical content remains identical and accurate. For security rules selection: 1. **ApexCSRF**: This rule directly relates to the FAQ's discussion of CSRF protection in Apex controllers. The FAQ specifically addresses avoiding state change operations during Lightning/LWC component instantiation, which is exactly what this rule detects and prevents. 2. **VfCsrf**: This rule is directly relevant to the Visualforce section of the FAQ. The FAQ explains using `confirmationTokenRequired` to protect against CSRF vulnerabilities in Visualforce pages, which aligns with what this rule validates.
Reasoning References