FAQ-000256 - CSRF and DML Security Issues / Visualforce CSRF Protection

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: How should I handle CSRF protection for detail page buttons and Lightning components?

Answer: To handle CSRF protection for detail page buttons and Lightning components, follow these guidelines: 1. **Visualforce Pages**: Enable the `confirmationTokenRequired` attribute to ensure GET requests require a CSRF token in the URL. Without the token, the page will be inaccessible. 2. **Lightning Components**: Avoid performing state changes or DML operations during component initialization. Instead, trigger these actions through explicit user interactions, like button clicks. 3. **Action Methods**: Ensure methods called from the action parameter of a Visualforce page or Lightning component do not automatically execute state changes or DML operations. 4. **Component Access**: For Aura components, set the access value to `Private` or `Public` within the namespace to limit exposure to external entities. 5. **User-Triggered Actions**: Always trigger state changes or DML operations through user actions, such as button clicks, rather than during page or component initialization. These steps will help effectively mitigate CSRF vulnerabilities.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Question: How should I handle CSRF protection for detail page buttons and Lightning components?

Recommended Answer Update: To handle CSRF protection for detail page buttons and Lightning components, follow these guidelines: 1. **Visualforce Pages**: Enable the `confirmationTokenRequired` attribute to ensure GET requests require a CSRF token in the URL. Without the token, the page will be inaccessible. 2. **Lightning Components**: Avoid performing state changes or DML operations during component initialization. Instead, trigger these actions through explicit user interactions, like button clicks. 3. **Action Methods**: Ensure methods called from the action parameter of a Visualforce page or Lightning component don't automatically execute state changes or DML operations. 4. **Component Access**: For Aura components, set the access value to `Private` or `Public` within the namespace to limit exposure to external entities. 5. **User-Triggered Actions**: Always trigger state changes or DML operations through user actions, such as button clicks, rather than during page or component initialization. These steps will help effectively mitigate CSRF vulnerabilities.

Reasoning: The FAQ content is accurate and well-structured, with only minor wording improvements needed for clarity. Changed 'do not automatically execute' to 'don't automatically execute' for more conversational tone. No outdated content was detected - the guidance aligns well with current CSRF protection best practices. For ApexCSRF rule: This rule detects CSRF vulnerabilities in Apex controllers. The FAQ directly addresses CSRF protection, particularly in points 2, 3, and 5 which discuss avoiding DML operations during initialization and ensuring they're triggered by user actions - exactly what this rule helps identify violations for. For VfCsrf rule: This rule specifically identifies CSRF vulnerabilities in Visualforce pages. Point 1 of the FAQ directly addresses Visualforce CSRF protection through the `confirmationTokenRequired` attribute, which is the primary mitigation technique this rule helps enforce.

Reasoning References

Current FAQ