FAQ-000241 - CSRF and DML Security Issues / Security Review and Documentation

Your page may still be flagged for CSRF even after removing the DML statement if it lacks proper CSRF protection mechanisms. For example: - If the Visualforce page does not have the `confirmationTokenRequired` attribute set to `true`, it won't enforce the requirement for a CSRF token in GET requests, leaving it vulnerable. - Any state changes or operations triggered without explicit user interaction, like a button click, can still be considered a potential CSRF risk. To address this, enable CSRF protection and ensure all state changes are initiated through explicit user actions.

The FAQ content is technically accurate and addresses an important CSRF security concept. No outdated content was detected - the information about confirmationTokenRequired and explicit user interactions remains current. The content is focused and on-topic. Minor formatting improvement was made by removing unnecessary bullet point formatting in the solution paragraph to improve readability while preserving all existing information. For ApexCSRF rule: This rule detects Cross-Site Request Forgery vulnerabilities in Apex controllers. The FAQ directly addresses CSRF protection mechanisms and explains why pages might still be flagged for CSRF issues even after removing DML statements. The FAQ's discussion of 'state changes or operations triggered without explicit user interaction' and the need for 'proper CSRF protection mechanisms' directly relates to what this rule detects. For VfCsrf rule: This rule specifically checks for CSRF vulnerabilities in Visualforce pages. The FAQ explicitly mentions the Visualforce page confirmationTokenRequired attribute and explains how it 'won't enforce the requirement for a CSRF token in GET requests' - this directly corresponds to the types of CSRF vulnerabilities this rule identifies in Visualforce context.