FAQ-000261 - CSRF and DML Security Issues / Visualforce CSRF Protection

To protect against CSRF when a Visualforce page is launched from both Lightning Components and classic buttons: 1. **Enable CSRF Token Requirement**: Set the `confirmationTokenRequired` boolean metadata field in the Visualforce page settings. This ensures that GET requests to the page require a CSRF token in the URL, preventing unauthorized access. 2. **Avoid DML on Initialization**: Don't perform state changes or DML operations during page initialization. Instead, trigger these operations through user actions, like button clicks. These steps ensure robust CSRF protection across both Lightning and Classic experiences.

The FAQ content is technically accurate and addresses the core question well. The only minor improvement is simplifying 'Do not perform' to 'Don't perform' to match the conversational tone guidelines and make the content more natural and scannable. I selected the ApexCSRF rule because it specifically detects CSRF vulnerabilities in Apex controllers, which is directly relevant to the FAQ's discussion of protecting Visualforce pages from CSRF attacks. The VfCsrf rule is also highly relevant as it specifically targets CSRF protection in Visualforce pages, which is exactly what this FAQ addresses - the rule detects when Visualforce pages lack proper CSRF protection mechanisms like the confirmationTokenRequired setting mentioned in the answer.