FAQ-000247 - CSRF and DML Security Issues / Specific CSRF Resolution Scenarios

If CSRF vulnerabilities persist even after removing DML statements, here's how you can address them: 1. **Enable CSRF Token Requirement**: For Visualforce pages, set the `confirmationTokenRequired` metadata field to `true`. This ensures that GET requests to the page require a CSRF token in the URL, preventing unauthorized access. 2. **Avoid State Changes During Initialization**: Ensure that no state changes or operations are performed during the initialization of Apex controllers. Instead, trigger these actions through explicit user interactions, like button clicks. For more detailed guidance, refer to the [Salesforce documentation on CSRF protection](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/secure_code_violation_request_forgery.htm).

The FAQ content is accurate and well-structured, addressing the specific scenario where CSRF vulnerabilities persist despite removing DML statements. The two main points about enabling CSRF token requirements and avoiding state changes during initialization are correct and comprehensive. No significant changes are needed as the content is current and aligns with security best practices. For the security rules selected: 1. **ApexCSRF** - This rule directly relates to the FAQ's core topic. The FAQ specifically discusses "CSRF vulnerabilities that persist after removing DML statements" and provides solutions including "avoid state changes during initialization" and proper handling of controller actions. The ApexCSRF rule detects these exact CSRF vulnerability patterns in Apex code. 2. **VfCsrf** - This rule is highly relevant because the FAQ explicitly mentions "For Visualforce pages, set the confirmationTokenRequired metadata field to true" as a key solution. The VfCsrf rule specifically deals with CSRF protection in Visualforce pages, which is exactly what this FAQ solution addresses.