FAQ-000254 - CSRF and DML Security Issues / Uncategorized

Performing a DML operation on component initialization is considered a CSRF vulnerability because these operations are automatically triggered when the component or page loads. This bypasses the platform's default CSRF protection mechanisms, allowing unintended state changes or database manipulations without explicit user action. To mitigate this, trigger state changes or DML operations through explicit user actions, like button clicks, and implement CSRF tokens where applicable.

The FAQ is accurate and well-structured, clearly explaining why DML operations on component initialization create CSRF vulnerabilities. No content appears outdated or incorrect. The answer effectively explains the security risk (automatic execution bypassing CSRF protection) and provides appropriate mitigation guidance (explicit user actions and CSRF tokens). Only minor formatting improvement was made by removing an extra blank line. Regarding security rules: ApexCSRF is directly relevant because this FAQ explains CSRF vulnerabilities in Apex components, specifically addressing the scenario where DML operations are triggered automatically on component initialization, which is exactly what the ApexCSRF rule detects - CSRF vulnerabilities in Apex code. VfCsrf is also relevant because the FAQ discusses CSRF protection in component contexts, and Visualforce components can exhibit the same vulnerability pattern when DML operations are performed during page load or component initialization without proper CSRF protection.