FAQ-000257 - CSRF and DML Security Issues / Visualforce CSRF Protection

To fix a CSRF vulnerability on a Visualforce page that performs a DML operation on load: 1. **Enable `confirmationTokenRequired`**: Set this attribute to `true` in the Visualforce page settings to ensure GET requests require a CSRF token in the URL. Without the token, the page will be inaccessible. You can configure these settings in the Visualforce page settings within your Salesforce org setup. 2. **Avoid DML on Initialization**: Don't perform DML operations during page initialization. Instead, trigger these operations through explicit user actions, like a button click. These steps align with Salesforce's security guidelines to mitigate CSRF risks.

The FAQ content is accurate and well-structured, addressing proper CSRF protection for Visualforce pages. I made minor wording improvements for clarity and conciseness: 1. Changed "Do not" to "Don't" for more conversational tone per the brand guidelines 2. Changed "Set this attribute in the Visualforce page settings" to "Set this attribute to `true`" for more precise instruction 3. These changes maintain the same technical content while improving readability and following the conversational writing style guidelines For security rule associations: - **ApexCSRF**: This rule directly relates to the FAQ's core topic of fixing CSRF vulnerabilities. The FAQ discusses CSRF protection mechanisms like `confirmationTokenRequired` and avoiding DML on initialization, which are exactly the types of CSRF vulnerabilities this rule detects. - **VfCsrf**: This rule specifically targets Visualforce CSRF issues, which is precisely what the FAQ addresses. The FAQ's recommendations about enabling `confirmationTokenRequired` and avoiding DML operations on page load are the standard remediation approaches for violations detected by this rule. Both rules are directly applicable because they detect the exact security vulnerabilities that the FAQ teaches how to fix.