FAQ-000259 - CSRF and DML Security Issues / Visualforce CSRF Protection

Yes, all Visualforce pages should have CSRF protection enabled, regardless of whether they perform DML operations. Enable CSRF protection by setting `confirmationTokenRequired="true"` in the page metadata, which ensures that requests to the page require a valid CSRF token. This adds an essential security layer that prevents Cross-Site Request Forgery attacks and is a required best practice for AppExchange security review.

The original answer had several areas for improvement: 1) It described `confirmationTokenRequired` as a 'boolean metadata field' when it's actually a page attribute that should be set to 'true' in string format, 2) It mentioned 'GET requests' specifically when CSRF protection applies to all HTTP requests, 3) The phrasing was somewhat verbose and could be more direct. The recommended updates provide clearer technical accuracy about how to implement CSRF protection, remove the misleading reference to GET requests only, and make the language more concise while maintaining all the key points about security importance and best practices. I selected VfCsrf because this FAQ directly addresses Visualforce CSRF protection, which is exactly what this PMD rule detects - it identifies Visualforce pages that lack proper CSRF protection via the confirmationTokenRequired attribute. I selected ApexCSRF because this FAQ discusses CSRF protection in the Salesforce platform context, and this rule detects CSRF vulnerabilities in Apex code that handles web requests without proper token validation, which is complementary to the Visualforce-level protection discussed in the FAQ.