FAQ-000262 - CSRF and DML Security Issues / Visualforce CSRF Protection

To properly resolve CSRF vulnerabilities in Visualforce pages and controllers: 1. **Enable CSRF Token Requirement**: Set the `confirmationTokenRequired` boolean metadata field to `true` in the Visualforce page settings. This ensures that GET requests to the page require a CSRF token in the URL, making the page inaccessible without the token. 2. **Avoid DML on Initialization**: Don't perform state changes or DML operations in Apex controllers during page initialization. Instead, trigger these operations through explicit user actions, like button clicks. For more detailed guidance, you can refer to the Secure Server-Side Development module on Trailhead.

The FAQ content is accurate and well-structured. I made minor language improvements for clarity and conciseness: changed "Do not perform" to "Don't perform" to match the conversational tone guidelines and maintain a more natural, friendly voice. The technical content aligns with security best practices and doesn't conflict with any available security rules. Both related security rules are directly applicable: ApexCSRF specifically detects CSRF vulnerabilities in Apex code (particularly when DML operations are performed on page initialization), which directly relates to the FAQ's second point about avoiding DML on initialization. VfCsrf detects CSRF vulnerabilities in Visualforce pages and relates to the FAQ's first point about enabling CSRF token requirements through the confirmationTokenRequired setting.