+ Start a Discussion
SurpriseSurprise 

Visual force and Apex issues including CSRF

Hi All,

 

Do we have this Anti-forgery feature automatically incorporated in all the pages in which we have included form tag on the visual force page?.


After going through the stuff at the below given URL,It looks like we do not have to make any changes to the existing pages.It looks like that this feature once enabled by salesforce will atimatically embed some token in the page and all post

request will be automaticlally verified by the salesforce.

 

Can somebody confirm that I am thinking right?

 

http://wiki.developerforce.com/page/Secure_Coding_Cross_Site_Request_Forgery#Apex_and_Visualforce_Applications

sfdcfoxsfdcfox
Your "POST" actions are protected by default, but your "GET" methods are not. If your page will perform some permanent action when the page loads (such as creating records, updating data, or deleting records), it must be protected from CSRF by explicitly enabling the GET CSRF token feature.