How to resolve Cross Site Request Forgery(CSRF) in salesforce?

In the VF page controller I am receiving the data in a page load method using ApexPages.currentPage().getParameters() and inserting the data in to one of the custom object. Every thing works fine. But when I posted my instance for CheckMarx security review it shows CSRF error for this page. Checkmarx shows errors in the ** indicated lines..in page and controller. VF Page:

controller: 
public class myclass < public void fetch()< ** Mapobjfields = new map(); objfields =ApexPages.currentPage().getParameters(); custom1obj__c obj = new custom1obj__c(); //assign the objfields values to obj here insert obj; > >
Please help to solve this issue. 5,294 1 1 gold badge 29 29 silver badges 58 58 bronze badges asked Sep 16, 2015 at 6:17 321 1 1 gold badge 7 7 silver badges 23 23 bronze badges

2 Answers 2

Try doing one thing, maybe it will solve your problem for now -

  1. Go to Your VF Page from Setup
  2. Click on Edit button
  3. Find "Require CSRF protection on GET requests" this option in your Page Information just above your vf code block
  4. Make sure you have checked this option to TRUE
  5. Save your page.

I had faced same issue twice and was able to solve by only doing this.

answered Sep 16, 2015 at 6:40 Salesforce Steps Salesforce Steps 2,220 4 4 gold badges 37 37 silver badges 70 70 bronze badges

i got this error: The link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator.

Commented Sep 16, 2015 at 6:49

Yes, I got your point, Can you please once try those steps and submit your code again for Checkmarks (I know thats gonaa take a day but, I am kinda sure those changes will work)

Commented Sep 16, 2015 at 7:09

i did the same procedure, what u have suggested above.. and after i refresh the page i get the above error

Commented Sep 16, 2015 at 7:12

Checkmarx is going to flag this code for CSRF because the action is performed automatically with a GET Request (page load). The only solution is to move the code out of the page action and into an action triggered via user interaction, such as a form post.

There is a suggestion to enabled CSRF protection for visualforce GET request but that's really missing the point. Checkmarx scans are intended to be used for packages being distributed on the Appexchange, and you have no control over whether this setting is present in an org running your package, so this isn't something you can rely on. For the same reason, CSRF has to be addressed in the source to be reliably fixed. Relying on org settings like this, which may be enabled or disabled without prior notification to the developer, is not a replacement for fixing the issue in the design of your app.

answered Sep 10, 2017 at 3:35 Robert Sussland Robert Sussland 3,254 15 15 silver badges 22 22 bronze badges

You must log in to answer this question.

Related

Hot Network Questions

Subscribe to RSS

Question feed

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

Site design / logo © 2024 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2024.9.11.15092