FAQ-000246 - CSRF and DML Security Issues / Specific CSRF Resolution Scenarios

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How do I resolve CSRF vulnerabilities related to DML operations that cause repeated security review failures?
Answer
To resolve CSRF vulnerabilities related to DML operations that cause repeated security review failures, follow these steps: 1. **Avoid DML Operations on Page Load**: Do not perform DML operations during page initialization or in methods that are automatically triggered. Instead, require user interaction, like a button click, to initiate these operations. 2. **Enable CSRF Protection on GET Requests**: For Visualforce pages, enable the "Requires CSRF protection on GET request" attribute to ensure the page cannot execute without a valid CSRF token. 3. **Set `confirmationTokenRequired` to True**: This attribute should be set to `true` for Visualforce pages to prevent unauthorized state changes. 4. **Review All DML Operations**: Check all instances of DML operations in your application to ensure they are not triggered automatically. 5. **Conduct Thorough Code Reviews**: Perform both manual and automated code reviews to identify and address CSRF vulnerabilities. 6. **Repackage and Resubmit**: After implementing these fixes, repackage your application with a new version and resubmit it for security review. For more detailed guidance, refer to the [Salesforce CSRF Mitigation Guide](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/secure_code_violation_request_forgery.htm).

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCSRFVfCsrf
Question
How do I resolve CSRF vulnerabilities related to DML operations that cause repeated security review failures?
Recommended Answer Update
To resolve CSRF vulnerabilities related to DML operations that cause repeated security review failures, follow these steps: 1. **Avoid DML Operations on Page Load**: Don't perform DML operations during page initialization or in methods that are automatically triggered. Instead, require user interaction, like a button click, to initiate these operations. 2. **Enable CSRF Protection on GET Requests**: For Visualforce pages, enable the "Requires CSRF protection on GET request" attribute to ensure the page can't execute without a valid CSRF token. 3. **Set `confirmationTokenRequired` to True**: This attribute should be set to `true` for Visualforce pages to prevent unauthorized state changes. 4. **Review All DML Operations**: Check all instances of DML operations in your application to ensure they're not triggered automatically. 5. **Conduct Thorough Code Reviews**: Perform both manual and automated code reviews to identify and address CSRF vulnerabilities. 6. **Repackage and Resubmit**: After implementing these fixes, repackage your application with a new version and resubmit it for security review. For more detailed guidance, refer to the [Salesforce CSRF Mitigation Guide](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/secure_code_violation_request_forgery.htm).
Reasoning
The FAQ content is technically accurate and comprehensive. I made minor improvements to align with the conversational tone guidelines: changed 'cannot' to 'can't', 'are not triggered' to 'aren't triggered', and similar contractions to make the content more approachable while maintaining its technical accuracy. No outdated content was detected as the security practices mentioned align with current Salesforce security requirements. The structure and all technical points remain unchanged. For security rules selection: - **ApexCSRF**: This rule directly relates to the FAQ's core focus on CSRF vulnerabilities in Apex code. The FAQ specifically addresses "CSRF vulnerabilities related to DML operations" and provides guidance on preventing unauthorized DML operations, which is exactly what this rule detects and prevents. - **VfCsrf**: This rule is highly relevant because the FAQ specifically mentions Visualforce page configurations including "Requires CSRF protection on GET request" attribute and "confirmationTokenRequired" settings, which are the exact mechanisms this rule validates for CSRF protection in Visualforce pages.
Reasoning References