FAQ-000243 - CSRF and DML Security Issues / Security Review and Documentation

To verify if identified CSRF vulnerabilities are legitimate security concerns during the AppExchange Security Review: 1. **Review the Flagged Issues**: Analyze the flagged vulnerabilities in detail to determine if they're exploitable or necessary for valid use cases. 2. **Document False Positives**: If you believe the vulnerabilities are false positives, provide documentation explaining why they're non-exploitable. Submit this through the security review wizard in the AppExchange Partner Console. 3. **Seek Guidance**: Schedule an appointment with the Product Security team via the Partner Security Portal to discuss the findings and get expert advice.

The FAQ needed minor improvements for consistency and modern tone. I made these changes: (1) Changed 'nonexploitable' to 'non-exploitable' for standard hyphenation, (2) Changed formal 'they are' to the more conversational contraction 'they're' to match the brand tone guidelines requiring conversational language and contractions. I selected two security rules that directly relate to CSRF vulnerability detection: **ApexCSRF**: This rule is directly relevant because the FAQ is about verifying CSRF vulnerabilities identified during security review. The FAQ's core purpose is helping developers understand how to handle flagged CSRF issues, and ApexCSRF is the primary rule that detects CSRF vulnerabilities in Apex code during security scanning. **VfCsrf**: This rule is also directly relevant because it detects CSRF vulnerabilities specifically in Visualforce pages. Since the FAQ discusses verifying 'identified CSRF vulnerabilities' without specifying the technology, both Apex and Visualforce CSRF detection rules apply to the verification process the FAQ describes.