ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Create a Secure Solution
Prevent Common Violations of Secure Coding Guidelines
Loading JavaScript Files from Third-Party Endpoints
Loading Third-Party CSS in Lightning Components
Using CSS Outside Components
Running JavaScript in the Salesforce Domain
Exposing Secret Data When Debugging
Storing Sensitive Data Insecurely
Using Software That Has Known Vulnerabilities
Using Sample Code in Production
Bypassing Object-Level and Field-Level Access Settings
Bypassing Sharing Rules in Apex
SOQL Injection Due to Insecure Database Query Construction
Cross-Site Request Forgery
Open Redirects
Lightning LockerService Disabled
Insufficient Escaping in Lightning Components
Asynchronous Code in Components
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Managing Licenses for Managed Packages
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Cross-Site Request Forgery

A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions during their authenticated web application session. To protect against CSRF, use confirmationTokenRequired, or trigger state changes with user actions.

All form requests made on the Salesforce Platform are protected. Insert, delete, update, and upsert state change operations triggered by user action, such as a button click, are also protected.

However, state change or data manipulation language (DML) operations triggered on page instantiation execute before the rest of the page loads, and they bypass the platform’s default CSRF protection. State change and DML operations in class constructors are vulnerable if they’re triggered from:
  • Visualforce pages
  • Lightning web components (LWC)
  • Aura
  • Any methods called from the action parameter of a Visualforce page

Apex Example

This Visualforce page is vulnerable to CSRF because the !init action is triggered on page initialization.
1<apex:page controller="maincontroller" action="{!init}">
2
3public pageReference init(){
4
5   UserSetting__c accountToUpdate;
6   pageReference p = page.mainview;
7   // Retrieve the password and redirect query string parameters from the current page URL
8   String password = ApexPages.currentPage().getParameters().get('password');
9   String redirect =   ApexPages.currentPage().getParameters().get('redirect');
10   if(string.isBlank(redirect)){
11       p.getParameters().put('redirect', '/home/home.jsp');
12       p.setRedirect(true);
13   } else {
14       p.getParameters().put('redirect', redirect);
15   }
16   if(string.isBlank(password)){
17       p.getParameters().put('password', 'blank');
18       p.setRedirect(true);
19   } else {
20       p.getParameters().put('password', password);
21       accountToUpdate = [SELECT password__c FROM UserSetting__c LIMIT 1];
22       accountToUpdate.password__C = password;
23       update accountToUpdate;
24   }
25   if(p.getRedirect()== true){
26      return p; 
27   }
28   else {
29       return null;
30   }
31}

A hacker can craft a URL containing parameters that alter database statements, allowing them to perform malicious actions of their choosing. When a user opens such a URL while logged in to your app, the code executes using the hacker’s chosen URL parameters. The unintended database actions execute from the context of the victim’s browser.

Visualforce Page Protection

To protect against the CSRF vulnerability in a Visualforce page when state change or DML operations execute on page initialization, enable the confirmationTokenRequired boolean metadata field in the Visualforce page.

If confirmationTokenRequired is set to true, GET requests to the page require a CSRF token in the URL. If the token is omitted, the page is inaccessible.

The default setting is false, which removes Apex’s built-in CSRF token protection. You can configure this field by going to relevant Visualforce page settings in org setup.

For more info about confirmationTokenRequired, refer to ApexPage in the Metadata API Developer Guide.

Lightning and LWC CSRF Protection

Don’t perform any state change or DML operations in an Apex controller during instantiation of Lightning or LWC. Instead, trigger a state change with a user action, such as a button click. To learn more about CSRF and how to prevent it in your code, check out the Secure Server-Side Development module on Trailhead.