Newer Version Available
Protect Your Application from CSRF Vulnerabilities
CSRF Considerations and Limitations
Salesforce automatically protects most form-based requests from CSRF. Standard controllers and methods secure actions such as, insert, update, delete, and upsert when triggered by user interactions. These interactions include clicking a button or submitting a form.
However, CSRF protection doesn't apply to state-changing logic that runs automatically during page load. Examples include:
- DML operations that execute even before the page fully renders.
- Methods called from the action attribute in Visualforce pages.
- Component initialization code performing DML in Aura, LWC, or Visualforce.
Secure Visualforce Pages
Apex methods called in the action attribute on<apex:page> or in a controller’s constructor run on page load and bypass CSRF protection. To secure your data, use user-triggered DML instead of auto-triggered initialization.
- Avoid DML during page load: Trigger DML operations only in response to explicit user actions.
- Avoid automatic method calls: Don't call apex:actionFunction methods via JavaScript events such as onload.
Review the following example of auto-triggered DML. Since the init method runs during page load, it bypasses platform CSRF protections.
To secure the page against CSRF attacks, require explicit user interaction to trigger state-changing logic. In this example, the deleteAccount method runs only when the user clicks Delete.
Secure Aura and LWC
Don't perform DML or state-changing operations during component load. When you use init, connectedCallback, renderedCallback, or a constructor, perform only read-only operations to fetch data. State-changing actions require explicit user interaction.
Review this example of auto-triggered DML in an Aura component. Because the doInit initialization handler modifies server data on component load, it bypasses platform CSRF protections.
To secure the component against CSRF attacks, perform only read-only operations during initialization and require explicit user interaction to modify data.