FAQ-000248 - CSRF and DML Security Issues / Specific CSRF Resolution Scenarios

To address multiple security vulnerabilities, including CRUD/FLS and CSRF issues, follow these steps: ### 1. **CRUD/FLS Enforcement**: - **Use "WITH USER_MODE"**: Apply "WITH USER_MODE" in SOQL queries wherever possible, as it automatically enforces CRUD/FLS checks. - **Use "AccessLevel.USER_MODE"**: For Database methods, use "AccessLevel.USER_MODE" to automatically enforce CRUD/FLS checks. - **Manual Checks**: For cases where modern approaches aren't applicable, implement manual CRUD/FLS checks thoroughly across the codebase. - **Review DML Operations**: Ensure all DML operations have proper CRUD/FLS checks. Document any exceptions in a False Positive (FP) document if needed. ### 2. **CSRF Mitigation**: - **Enable CSRF Tokens**: For Visualforce pages, set `confirmationTokenRequired=true` to require CSRF tokens. - **Avoid Sensitive Actions on Page Load**: Don't perform DML operations or sensitive actions during page initialization. Require user interaction, like button clicks, to trigger these actions. - **Validate Redirection URLs**: Ensure proper validation of redirection URLs and use authentication tokens to validate redirection requests. ### 3. **General Recommendations**: - **Use Security Tools**: Leverage tools like Checkmarx and Salesforce Code Analyzer to identify and fix vulnerabilities. - **Upgrade API Versions**: Use API versions 48 or above when applying `with security_enforced` in SOQL queries. - **Follow Secure Coding Practices**: Adhere to Salesforce's security review guides for detailed instructions. Applying these measures consistently across your application will help ensure compliance and reduce the likelihood of vulnerabilities being flagged during security reviews. For more details, refer to Salesforce's [security review guides](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/secure_code_violation_request_forgery.htm).

The FAQ content needed minor improvements to align with modern security approaches. I made these changes: 1) Added "AccessLevel.USER_MODE" for Database methods to complement the existing "WITH USER_MODE" guidance, following the modern security approaches guideline to prioritize these features. 2) Changed "Do not perform" to "Don't perform" to maintain conversational tone per the style guide. The content was otherwise accurate and comprehensive. I selected ApexCRUDViolation because the FAQ extensively covers CRUD/FLS enforcement techniques including USER_MODE and manual checks. ApexCSRF was selected as it directly relates to the CSRF mitigation section discussing DML operations and sensitive actions. VfCsrf was chosen because the FAQ specifically addresses Visualforce CSRF protection with confirmationTokenRequired=true. AvoidSecurityEnforcedOldApiVersion was included because the FAQ mentions using API versions 48+ with security_enforced, which this rule validates.