function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Apex page action Security issue

It seems we can't use the 'Action' method in <apex:page>. If any Action method is defined in the controller which takes an Id, then it violates 'Cross-Site Request Forgery (CSRF)' and the custom Action method doesn't support anti-CSRF token.


In suggestions, it's mentioned that to use POST method, but I am not sure how to use POST method in <apex:page> Action.


If you have any idea on this problem, please let us know.



Bhaskar Roy



     Cross-Site Request Forgery (CSRF), can be avoided in Salesforce. Clear documentation has been given in the link below.

    Please check the section under Cross-Site Request Forgery (CSRF)

I have checked those documents, but couldn't find the answer what I asked. Thanks

I found no help in the document you suggested, only hinting that writing Action Methods exposes you to CSRF.  Can I write a VF page without action methods? I think it would be a pretty useless page if I did.


From the document:

"Within the platform, we have implemented an anti-CSRF token to prevent this attack. Every page will include a random string characters as a hidden form field. Upon the next page load, the application checks the validity of this string of characters and will not execute the command unless the value matches the expected value. This feature will protect you when using all of the standard controllers and methods."


So I am protected only using standard controllers and methods! No help at all about how I can use the same prevention measures in my own code. Not very helpful really.




Was anyone able to resolve this issue? I am also facing the same problem.Please do post if anyone has any updates.


Thanks in advance.

Tom DJTom DJ

I just got back a scanner result that say we have a CSRF issue too.   I also  found the documentation posted here to be pretty useless.  It talks about a token in a hidden field that can be verified and seems to assume everyone knows how to do this.   It does not give a link or reference to anything that demonstrates how to accomplish it in actual code.    The security scan results has the same exact information, but no reference or example either.   Also, can't find anything that helps me on the discussion boards or general web.   Maybe I am missing something?


I would really appreciate it if someone could post an example of  VF code for the hidden field (if pertinent) and example controller code that verifies it.    It would help me immensely.   


Thanks in advance,


Tom  DJ.

Amit Singh1989Amit Singh1989

have any one got any solution.....

i am also facing such kind of problem.



Amit Singh

Ulas KutukUlas Kutuk

I have also the same problem?