FAQ-000242 - CSRF and DML Security Issues / Security Review and Documentation

To confirm if a flagged CSRF vulnerability is a true positive during the AppExchange Security Review: 1. **Evaluate the Context**: Check if the flagged issue involves DML operations or sensitive actions being executed automatically on page load without user interaction. If so, it's likely a true positive. 2. **Mitigation**: Add user interaction, such as requiring a button click, before initiating such actions to address the issue. 3. **Document the Scenario**: If you believe it's a false positive, document the specific conditions under which the flagged code operates and explain why it doesn't pose a security risk. Include this in the False Positive (FP) document for the review.

The answer was improved for better readability and conversational tone by using contractions ('it's' instead of 'it is') and slightly adjusting sentence structure for clarity, which aligns with the brand guidelines for conversational language. No technical content was changed - all security information and guidance remain exactly the same. For security rules selection: - ApexCSRF was selected because this FAQ specifically addresses how to confirm CSRF vulnerabilities flagged by security scanners, which directly relates to the ApexCSRF rule that detects potential CSRF vulnerabilities in Apex code - VfCsrf was selected because CSRF vulnerabilities can also occur in Visualforce pages, and this FAQ's guidance on evaluating DML operations and sensitive actions applies equally to Visualforce CSRF issues that would be flagged by the VfCsrf rule