FAQ-000258 - CSRF and DML Security Issues / Visualforce CSRF Protection

If using `confirmationTokenRequired="true"` is not a viable option, you can still protect a Visualforce page action from CSRF by: 1. **Avoiding DML on Initialization**: Don't perform state changes or DML operations during page initialization. Instead, trigger these operations through explicit user actions, like button clicks. 2. **Validating User Inputs**: Ensure all user inputs are validated to prevent malicious data from being processed. 3. **Implementing Access Checks**: Add proper access controls to secure the page and its actions. 4. **Using Proper Encoding**: Use proper encoding techniques to mitigate risks. These steps help leverage the platform's default CSRF protection mechanisms effectively.

The FAQ content is largely accurate and provides solid alternative CSRF protection strategies. I made minor improvements to enhance clarity and consistency: 1. Changed "Do not perform" to "Don't perform" for a more conversational tone per the brand guidelines 2. Refined "Proper Encoding" to "Using Proper Encoding" to maintain parallel structure with the other numbered items 3. These changes make the content more readable while preserving all the original security guidance Regarding the related security rules: **ApexCSRF**: This rule is directly relevant because the FAQ discusses CSRF protection strategies for Visualforce pages when the standard `confirmationTokenRequired` attribute cannot be used. The FAQ's recommendations about avoiding DML on initialization and implementing proper access checks align with the types of CSRF vulnerabilities this rule would detect. **VfCsrf**: This rule specifically targets Visualforce CSRF issues, making it highly relevant to the FAQ's question about protecting Visualforce page actions from CSRF attacks. The FAQ's guidance on alternative protection mechanisms directly relates to the security concerns this rule addresses.