FAQ-000253 - CSRF and DML Security Issues / Uncategorized

For read-only API integrations, developers should handle CSRF token requirements as follows: - **Visualforce Pages**: Enable the `showHeader="false"` attribute or set `standardController` attributes appropriately to ensure GET requests include proper CSRF protection, preventing unauthorized access. - **Lightning or LWC Components**: Avoid performing state changes or DML operations during controller instantiation. Instead, trigger such actions through explicit user interactions, like button clicks. These practices help mitigate CSRF vulnerabilities effectively.

The main issue identified is with the Visualforce section's technical accuracy. The original answer mentions `confirmationTokenRequired` attribute for CSRF token requirements in GET requests, but this attribute doesn't exist in Visualforce. The actual CSRF protection in Visualforce is handled through proper use of `showHeader`, `standardController`, or other standard Visualforce security mechanisms. The rest of the answer about Lightning/LWC components is accurate and aligns with proper CSRF prevention practices. The ApexCSRF rule relates to this FAQ because it detects CSRF vulnerabilities in Apex controllers, which is exactly what this FAQ is teaching developers to prevent. The VfCsrf rule directly applies because it identifies CSRF issues in Visualforce pages, which is specifically addressed in the first bullet point of the FAQ answer.