FAQ-000266 - CSRF and DML Security Issues / Visualforce CSRF Protection

To resolve CSRF vulnerabilities in Visualforce controllers: 1. **Enable CSRF Token Requirement**: Set the `confirmationTokenRequired` boolean metadata field to `true` in the Visualforce page settings. This ensures that GET requests to the page require a CSRF token in the URL, making the page inaccessible without the token. 2. **Avoid State Changes on Initialization**: Don't perform state changes or DML operations during page initialization. Instead, trigger these actions through explicit user interactions, like button clicks. For more detailed guidance, you can refer to the Secure Server-Side Development module on Trailhead.

The FAQ content is accurate and well-structured, addressing the core CSRF vulnerability concerns in Visualforce controllers. I made minor improvements to make the language more conversational and direct by changing 'Do not perform' to 'Don't perform' to align with the brand guide's preference for contractions and conversational tone. I selected two security rules that directly relate to this FAQ: 1. **ApexCSRF** - This rule detects CSRF vulnerabilities in Apex code, which is exactly what the FAQ is teaching developers how to resolve. The FAQ's guidance on avoiding state changes during initialization and using explicit user interactions directly addresses the types of issues this rule would flag. 2. **VfCsrf** - This Visualforce-specific CSRF rule is highly relevant since the FAQ specifically focuses on 'CSRF vulnerabilities in Visualforce controllers.' The FAQ's recommendation to set `confirmationTokenRequired` to `true` directly addresses the type of CSRF protection this rule validates for Visualforce pages.