FAQ-000265 - CSRF and DML Security Issues / Visualforce CSRF Protection

The recommended way to protect Visualforce pages from Cross-Site Request Forgery (CSRF) attacks is to enable the `confirmationTokenRequired` boolean metadata field in the Visualforce page settings. When this field is set to `true`, GET requests to the page require a CSRF token in the URL, and the page becomes inaccessible if the token is omitted. This can be configured in the Visualforce page settings within your org setup.

The original answer is accurate and clear, with no outdated content detected. The information about `confirmationTokenRequired` metadata field remains current and valid for Visualforce CSRF protection. No changes to the technical content are needed as it aligns with current best practices. The writing follows the recommended tone - it's clear, direct, and provides actionable guidance without unnecessary verbosity. Regarding the selected security rules: 1. **VfCsrf rule**: This is the most directly relevant rule as it specifically detects Visualforce CSRF vulnerabilities. The FAQ discusses exactly what this rule checks for - proper CSRF protection in Visualforce pages through the `confirmationTokenRequired` setting. The FAQ content about enabling CSRF tokens directly relates to what this rule validates. 2. **ApexCSRF rule**: This rule is also relevant as it detects CSRF issues in Apex code that supports Visualforce pages. While the FAQ focuses on the Visualforce configuration aspect, CSRF protection often involves both the page-level settings (covered in the FAQ) and the underlying Apex controller code (covered by this rule). The FAQ's guidance on CSRF protection complements what this rule checks for in the Apex layer.